This is a reminder that I will close discussion on this tomorrow. On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson <bwil...@mozilla.com> wrote:
> This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process for GlobalSign. > > See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, > (Steps 4 through 9). > > GlobalSign has four (4) new roots to include in the root store. Two > roots, one RSA and another ECC, are to support server authentication > (Bugzilla Bug # 1570724 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1570724>) while two other > roots are for email authentication, RSA and ECC (Bugzilla Bug # 1637269 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1637269>). > > Mozilla is considering approving GlobalSign’s request(s). This email > begins the 3-week comment period, after which, if no concerns are raised, > we will close the discussion and the request may proceed to the approval > phase (Step 10). > > *A Summary of Information Gathered and Verified appears here in these two > CCADB cases:* > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000469 > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000596 > > *Root Certificate Information:* > > *GlobalSign Root R46 * > > crt.sh - > https://crt.sh/?q=4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9 > > Download - https://secure.globalsign.com/cacert/rootr46.crt > > *GlobalSign Root E46* > > crt.sh - > https://crt.sh/?q=CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058 > > Download - https://secure.globalsign.com/cacert/roote46.crt > > *GlobalSign Secure Mail Root R45 * > > crt.sh - > https://crt.sh/?q=319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974 > > Download - https://secure.globalsign.com/cacert/smimerootr45.crt > > *GlobalSign Secure Mail Root E45 * > > crt.sh - > https://crt.sh/?q=5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19 > > Download - https://secure.globalsign.com/cacert/smimeroote45.crt > > > *CP/CPS:* > > https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.6_final.pdf > > The current GlobalSign CPS is version 9.6, published 29-December-2020. > > Repository location: https://www.globalsign.com/en/repository > > *BR Self-Assessment* (Excel) is located here: > > https://bugzilla.mozilla.org/attachment.cgi?id=9082310 > > *Audits:* GlobalSign is audited annually in accordance with the WebTrust > criteria by Ernst & Young, Belgium, which found in June 2020 that > “throughout the period April 1, 2019 to March 31, 2020, GlobalSign > management’s assertion, as referred to above, is fairly stated, in all > material respects, in accordance with the WebTrust Principles and Criteria > for Certification Authorities - SSL Baseline with Network Security, Version > 2.3.” The WebTrust audit noted the following 13 Bugzilla incidents, > which had been previously reported as of that audit date: > > 1 Misissuance of QWAC certificates. > > 2 Issue with an OCSP responder status. > > 3 Some SSL certificates with US country code and invalid State/Prov have > been issued. > > 4 ICAs in CCADB, without EKU extension are listed in WTCA report but not > in WTBR report. > > 5 OCSP responders found to respond signed by the default CA when passed an > invalid issuer in request. > > 6 Wrong business category on 3 EV SSL certificates. > > 7 OCSP Responder returned invalid values for some precertificates. > > 8 Customer running an on-premise (technically-constrained) CA that chains > to a GlobalSign root, issued certificates without AIA extension. > > 9 Misissued 4 certificates with invalid CN. > > 10 Certificates with Subject Public Key Info lacking the explicit NULL > parameter. > > 11 Untimely revocation of TLS certificate after submission of private key > compromise. > > 12 Unable to revoke 2 noncompliant QWACs within 5 days. > > 13 Unable to revoke noncompliant ICA within 7 days > > > > *Incident Reports / Mis-Issuances * > > The following bugs/incidents remain open and are being worked on. > > 1667944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> > > Empty SingleExtension in OCSP responses > <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> > > 1651447 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> > > Failure to revoke noncompliant ICA within 7 days > <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> > > 1591005 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> > > ICAs in CCADB, without EKU extension are listed in WTCA report but not in > WTBR report <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> > > 1649937 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> > > Incorrect OCSP Delegated Responder Certificate > <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> > > 1668007 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> > > Invalid stateOrProvinceName value > <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> > > 1664328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> > > SHA-256 hash algorithm used with ECC P-384 key > <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> > > 1575880 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> > > SSL Certificates with US country code and invalid State/Prov > <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> > > > > No misissuances were found under these roots, and the CA certificates > passed technical tests. > > Thus, this email begins a three-week public discussion period, which I’m > scheduling to close on or about Tuesday, 2-February-2021. > > > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy