This is to announce the beginning of the public discussion phase for Google Trust Services' (GTS) request to replace five existing root CA certificates with ones that were re-signed last year, August 13, 2020. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).
The five roots are as follows: GTS Root R1, GTS Root R2, GTS Root R3, GTS Root R4, and the GlobalSign ECC Root CA - R4. (A sixth root CA certificate, the GlobalSign Root CA - R2, was re-signed using SHA1, and so I have removed it from this inclusion request.) The reason for their replacement is that the original CA certificates do not contain the digitalSignature key usage bit, which is required for direct OCSP signing by the CA. (See https://bugzilla.mozilla.org/show_bug.cgi?id=1652581) GTS’ request has been tracked in the CCADB and in Bugzilla as follows: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000666 https://bugzilla.mozilla.org/show_bug.cgi?id=1675821 Mozilla is considering approving GTS’ request. This email begins a 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed with steps required to replace the certificates in question. *Root Certificate Information:* *GTS Root R1* https://crt.sh/?q=D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF Download – https://pki.goog/repo/certs/gtsr1.pem Replaces https://crt.sh/?id=139646520 *GTS Root R2* https://crt.sh/?q=8D25CD97229DBF70356BDA4EB3CC734031E24CF00FAFCFD32DC76EB5841C7EA8 Download – https://pki.goog/repo/certs/gtsr2.pem Replaces https://crt.sh/?id=139646522 *GTS Root R3* https://crt.sh/?q=34D8A73EE208D9BCDB0D956520934B4E40E69482596E8B6F73C8426B010A6F48 Download – https://pki.goog/repo/certs/gtsr3.pem Replaces https://crt.sh/?id=139646519 *GTS Root R4* https://crt.sh/?q=349DFA4058C5E263123B398AE795573C4E1313C83FE68F93556CD5E8031B3C7D Download – https://pki.goog/repo/certs/gtsr4.pem Replaces https://crt.sh/?id=139646525 *GlobalSign ECC Root CA - R4* https://crt.sh/?q=B085D70B964F191A73E4AF0D54AE7A0E07AAFDAF9B71DD0862138AB7325A24A2 Download – https://pki.goog/repo/certs/gsr4.pem Replaces https://crt.sh/?id=8644166 *CP/CPS:* Current CPS is Version 4.0 / August 11, 2021 https://pki.goog/repo/cps/4.0/GTS-CPS.pdf Repository location: https://pki.goog/ *Audits:* GTS’s WebTrust auditor is Ernst & Young, and the most recent audit reports are dated November 2, 2020. These may be downloaded by clicking on the WebTrust seals on GTS’s repository page <https://pki.goog/>. The WebTrust Baseline Requirements audit noted the following four incidents (closed): 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1630040 (OCSP responder issue) 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=1652581 (digitalSignature KeyUsage not set – which gave rise to this inclusion request) 3 - https://bugzilla.mozilla.org/show_bug.cgi?id=1625498 (tracking possible audit delay) 4 - https://bugzilla.mozilla.org/show_bug.cgi?id=1667844 (certificates not disclosed in CCADB) *Other Incidents (Closed): * 5 - https://bugzilla.mozilla.org/show_bug.cgi?id=1678183 (invalid ASN.1 encoding in OCSP response) 6 - https://bugzilla.mozilla.org/show_bug.cgi?id=1706967 (CPS stated outdated DV method from BR 3.2.2.4.10) 7 - https://bugzilla.mozilla.org/show_bug.cgi?id=1708516 (delayed incident updates) 8 - https://bugzilla.mozilla.org/show_bug.cgi?id=1709223 (SHA1 signing of GlobalSign Root CA - R2) 9 - https://bugzilla.mozilla.org/show_bug.cgi?id=1715421 (delayed revocation of end entity certificate) Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 15-September-2021. A representative of GTS must promptly respond directly in the discussion thread to all questions that are posted. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ2d_si6PFNHgjkSzUEyYb9t4afJWQ6%2Bo%3DcUN%3DWmwmN3w%40mail.gmail.com.
