On January 11, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process <https://wiki.mozilla.org/CA/Application_Process>] for the above-referenced GlobalSign inclusion request.
*Summary of Discussion and Completion of Action Items [Steps 5-8]:* Recently, Ryan Sleevi noted that GlobalSign is transitioning to a better Root CA hierarchy with single-purpose roots. This will lead to less risk due to fewer cross-dependencies from other uses of PKI. He also noted that GlobalSign has improved the quality of its incident reporting and remediation. I agree on both of these points. While GlobalSign currently has six matters open in Bugzilla, none of these should be a reason to delay approval of this inclusion request. 1591005 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> – the relevant issuing CAs have been revoked (nearly closed, waiting on a final key destruction report) 1649937 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> - Incorrect OCSP Delegated Responder Certificate issue - GlobalSign ceased including the OCSP signing EKU in any newly generated issuing CA (approximately 10 remaining issuing CAs affected by issue are on schedule to be revoked) 1651447 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> – Delayed CA revocation, per issue # 1649937 above (GlobalSign is switching over from old to newer infrastructure, as described in this and other bugs) 1664328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> - SHA-256 hash algorithm used with ECC P-384 key (almost closed, status update needed) 1667944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> – Empty SingleExtension in OCSP responses (migration to new OCSP responders nearly completed) 1668007 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> – Country name in stateOrProvinceName field (almost closed, status update needed) This is notice that I am closing public discussion [Step 9] and that it is Mozilla’s intent to approve GlobalSign's request for inclusion [Step 10]. This begins a 7-day “last call” period for any final objections. Thanks, Ben On Mon, Feb 1, 2021 at 10:18 AM Ben Wilson <bwil...@mozilla.com> wrote: > This is a reminder that I will close discussion on this tomorrow. > > On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson <bwil...@mozilla.com> wrote: > >> This is to announce the beginning of the public discussion phase of the >> Mozilla root CA inclusion process for GlobalSign. >> >> See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >> (Steps 4 through 9). >> >> GlobalSign has four (4) new roots to include in the root store. Two >> roots, one RSA and another ECC, are to support server authentication >> (Bugzilla Bug # 1570724 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1570724>) while two other >> roots are for email authentication, RSA and ECC (Bugzilla Bug # 1637269 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1637269>). >> >> Mozilla is considering approving GlobalSign’s request(s). This email >> begins the 3-week comment period, after which, if no concerns are raised, >> we will close the discussion and the request may proceed to the approval >> phase (Step 10). >> >> *A Summary of Information Gathered and Verified appears here in these two >> CCADB cases:* >> >> >> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000469 >> >> >> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000596 >> >> *Root Certificate Information:* >> >> *GlobalSign Root R46 * >> >> crt.sh - >> https://crt.sh/?q=4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9 >> >> Download - https://secure.globalsign.com/cacert/rootr46.crt >> >> *GlobalSign Root E46* >> >> crt.sh - >> https://crt.sh/?q=CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058 >> >> Download - https://secure.globalsign.com/cacert/roote46.crt >> >> *GlobalSign Secure Mail Root R45 * >> >> crt.sh - >> https://crt.sh/?q=319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974 >> >> Download - https://secure.globalsign.com/cacert/smimerootr45.crt >> >> *GlobalSign Secure Mail Root E45 * >> >> crt.sh - >> https://crt.sh/?q=5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19 >> >> Download - https://secure.globalsign.com/cacert/smimeroote45.crt >> >> >> *CP/CPS:* >> >> https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.6_final.pdf >> >> The current GlobalSign CPS is version 9.6, published 29-December-2020. >> >> Repository location: https://www.globalsign.com/en/repository >> >> *BR Self-Assessment* (Excel) is located here: >> >> https://bugzilla.mozilla.org/attachment.cgi?id=9082310 >> >> *Audits:* GlobalSign is audited annually in accordance with the >> WebTrust criteria by Ernst & Young, Belgium, which found in June 2020 that >> “throughout the period April 1, 2019 to March 31, 2020, GlobalSign >> management’s assertion, as referred to above, is fairly stated, in all >> material respects, in accordance with the WebTrust Principles and Criteria >> for Certification Authorities - SSL Baseline with Network Security, Version >> 2.3.” The WebTrust audit noted the following 13 Bugzilla incidents, >> which had been previously reported as of that audit date: >> >> 1 Misissuance of QWAC certificates. >> >> 2 Issue with an OCSP responder status. >> >> 3 Some SSL certificates with US country code and invalid State/Prov have >> been issued. >> >> 4 ICAs in CCADB, without EKU extension are listed in WTCA report but not >> in WTBR report. >> >> 5 OCSP responders found to respond signed by the default CA when passed >> an invalid issuer in request. >> >> 6 Wrong business category on 3 EV SSL certificates. >> >> 7 OCSP Responder returned invalid values for some precertificates. >> >> 8 Customer running an on-premise (technically-constrained) CA that chains >> to a GlobalSign root, issued certificates without AIA extension. >> >> 9 Misissued 4 certificates with invalid CN. >> >> 10 Certificates with Subject Public Key Info lacking the explicit NULL >> parameter. >> >> 11 Untimely revocation of TLS certificate after submission of private key >> compromise. >> >> 12 Unable to revoke 2 noncompliant QWACs within 5 days. >> >> 13 Unable to revoke noncompliant ICA within 7 days >> >> >> >> *Incident Reports / Mis-Issuances * >> >> The following bugs/incidents remain open and are being worked on. >> >> 1667944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> >> >> Empty SingleExtension in OCSP responses >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> >> >> 1651447 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> >> >> Failure to revoke noncompliant ICA within 7 days >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> >> >> 1591005 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> >> >> ICAs in CCADB, without EKU extension are listed in WTCA report but not in >> WTBR report <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> >> >> 1649937 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> >> >> Incorrect OCSP Delegated Responder Certificate >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> >> >> 1668007 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> >> >> Invalid stateOrProvinceName value >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> >> >> 1664328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> >> >> SHA-256 hash algorithm used with ECC P-384 key >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> >> >> 1575880 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> >> >> SSL Certificates with US country code and invalid State/Prov >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> >> >> >> >> No misissuances were found under these roots, and the CA certificates >> passed technical tests. >> >> Thus, this email begins a three-week public discussion period, which I’m >> scheduling to close on or about Tuesday, 2-February-2021. >> >> >> >> Sincerely yours, >> >> Ben Wilson >> >> Mozilla Root Program >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy