FYI at least one person is being blocked from posting to the list properly for reasons unknown.
On Fri, Feb 10, 2023 at 11:04 AM Steve Keller <kellerst...@proton.me> wrote: > Unfortunately it won't let me post. I don't see why it would be harmful to > ask the community to double-check my work to make sure that I'm not > misunderstanding the new requirements? > As far as I can tell, there's a number of CAs currently rooted that are > already engaging in Concerning Behavior, but maybe I'm misunderstanding > something or Mozilla doesn't like that question? > > ------- Original Message ------- > On Tuesday, February 7th, 2023 at 9:52 PM, Steve Keller < > kellerst...@proton.me> wrote: > > My apologies, for some reason its not posting my response. I will try > again. > > Thanks, > Steve > > ------- Original Message ------- > On Tuesday, February 7th, 2023 at 9:06 PM, Kurt Seifried < > k...@seifried.org> wrote: > > You need to reply to the list. > > > -Kurt > > > > > > On Feb 7, 2023, at 1:35 PM, Steve Keller <kellerst...@proton.me> wrote: > > > What happens to the CAs engaging in "Concerning Behavior" that *currently* > have their root certificates in Mozilla's root store? > > Mozilla states: > > If the CA operator currently has root certificates in Mozilla's root > store, then Mozilla *may* remove those root certificates or set them to > be distrusted after a specified date. > > How much Concerning Behavior would a CA need to engage in before their > root certificates were removed? > > Just a quick review of all the currently included CAs in Mozilla's root > store and it seems that these CAs are already engaging in Concerning > Behavior according to the recently announced considerations: > > 1. Agence Nationale de Certification Electronique - Corruption Perceptions > Index Score less than 50 (score = 40) > 2. certSIGN - Corruption Perceptions Index Score less than 50 (score = 46) > 3. China Financial Certification Authority (CFCA) - Internet Freedom Score > less than 50 (score = 10), Corruption Perceptions Index Score less than 50 > (score = 45) > 4. E-Tugra - Internet Freedom Score less than 50 (score = 32), Corruption > Perceptions Index Score less than 50 (score = 36) > 5. eMudhra Technologies Limited - Corruption Perceptions Index Score less > than 50 (score = 40) > 6. Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong > Certificate Authority (GDCA)) - Internet Freedom Score less than 50 (score > = 10), Corruption Perceptions Index Score less than 50 (score = 45) > 7. Government of Hong Kong (SAR), Hongkong Post, Certizen aka "Hongkong > Post" - Internet Freedom Score less than 50, Corruption Perceptions Index > Score less than 50 > 8. Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) aka > "TUBITAK" - Internet Freedom Score less than 50 (score = 10), Corruption > Perceptions Index Score less than 50 (score = 45), CA's auditor has not > audited other CAs whose root certificates are already included in Mozilla’s > Root store > 9. iTrusChina Co., Ltd. - Internet Freedom Score less than 50 (score = > 10), Corruption Perceptions Index Score less than 50 (score = 45) > 10. Microsec Ltd. - Corruption Perceptions Index Score less than 50 (score > = 42), CA's auditor has not audited other CAs whose root certificates are > already included in Mozilla’s Root store > 11. Netlock - Corruption Perceptions Index Score less than 50 (score = > 42), CA's auditor has not audited other CAs whose root certificates are > already included in Mozilla’s Root store > 12. Shanghai Electronic Certification Authority Co., Ltd. aka "UniTrust" - > Internet Freedom Score less than 50 (score = 10), Corruption Perceptions > Index Score less than 50 (score = 45) > 13. Actalis - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 14. Atos Trustcenter - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 15. Buypass - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 16. Chunghwa Telecom - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 17. Disig, a.s. - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 18. e-commerce monitoring GmbH - CA's auditor has not audited other CAs > whose root certificates are already included in Mozilla’s Root store > 19. HARICA - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > 20. SwissSign AG - CA's auditor has not audited other CAs whose root > certificates are already included in Mozilla’s Root store > > > > ------- Original Message ------- > > On Feb 1, 2023, at 1:59 PM, 'Kurt Seifried' via > dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > > Correct me if I'm wrong but AFAIK all the main participants that consume > what the CCADB creates are all US based > (Mozilla/Microsoft/Google/Apple/Oracle/Adobe). > > Also if you really want "neutrality" then you'll need to define what you > mean exactly. And probably include include Africa, Asia and South America > at a minimum. I don't think this makes any sense. > > On Wed, Feb 1, 2023 at 11:12 AM John Han (hanyuwei70) < > hanyuwe...@gmail.com> wrote: > > I understand that. Perhaps we could use "with a US-based or EU-based > company." to address neutrality or it is impossible in legal? > > 在2023年2月2日星期四 UTC+8 01:18:15<ku...@seifried.org> 写道: > > On Wed, Feb 1, 2023 at 9:42 AM John Han (hanyuwei70) <hanyu...@gmail.com> > wrote: > > > The CA operator is in a global region that cannot use the CCADB > <https://www.google.com/url?q=https://trust.salesforce.com/blocked&source=gmail-imap&ust=1676406952000000&usg=AOvVaw1Zsjs0ZnCacCP-FlQO_3V3>, > or is not capable of entering into a contractual agreement with a US-based > <https://www.google.com/url?q=https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx&source=gmail-imap&ust=1676406952000000&usg=AOvVaw24GMFsFHPQHRIHh-DgetqN> > company. > Is this means US government can control whether any CA is in Mozilla root > store? > > > I would assume if they are listed on > https://sanctionssearch.ofac.treas.gov/ > <https://www.google.com/url?q=https://sanctionssearch.ofac.treas.gov/&source=gmail-imap&ust=1676406952000000&usg=AOvVaw0Cn3X8mTYKVH33ES8ZXuO4> > for example then yes, Mozilla and friends can't be doing business with > them (and putting them into the root CA ... yow). I'm trying to think of a > legitimate corner case where a company can't do business with a US entity > legally but is still somehow trustworthy enough to be a root CA, and > nothing comes to mind. > > -- > Kurt Seifried (He/Him) > ku...@seifried.org > > > > -- > Kurt Seifried (He/Him) > ku...@seifried.org <k...@seifried.org> > > -- > > > > > -- Kurt Seifried (He/Him) k...@seifried.org -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38iOcFt5jZxOR2hBdOBRU-nwqhyD6ea6B0D%2B3trPk%2BVAw%40mail.gmail.com.
