On Friday, February 10, 2023 at 12:29:54 PM UTC-8 ku...@seifried.org wrote: FYI at least one person is being blocked from posting to the list properly for reasons unknown.
On Fri, Feb 10, 2023 at 11:04 AM Steve Keller <kellerst...@proton.me> wrote: Unfortunately it won't let me post. I don't see why it would be harmful to ask the community to double-check my work to make sure that I'm not misunderstanding the new requirements? As far as I can tell, there's a number of CAs currently rooted that are already engaging in Concerning Behavior, but maybe I'm misunderstanding something or Mozilla doesn't like that question? Steve will need to: "Subscribe by sending email to: dev-security-policy+subscr...@mozilla.org. *Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected."* Only members can post to this group, otherwise this group would receive a lot of spam. What happens to the CAs engaging in "Concerning Behavior" that *currently* have their root certificates in Mozilla's root store? Concerning Behavior: "The following situations are concerning *and in aggregate*..." So concern would be raised when a collection (several) of the main bullet points happen. Mozilla states: > If the CA operator currently has root certificates in Mozilla's root store, then Mozilla *may* remove those root certificates or set them to be distrusted after a specified date. How much Concerning Behavior would a CA need to engage in before their root certificates were removed? When several of the concerning behaviors exist, then we need to look more closely at the CA and do a risk versus value assessment of the CA. Just a quick review of all the currently included CAs in Mozilla's root store and it seems that these CAs are already engaging in Concerning Behavior according to the recently announced considerations: 1. Agence Nationale de Certification Electronique - Corruption Perceptions Index Score less than 50 (score = 40) 2. certSIGN - Corruption Perceptions Index Score less than 50 (score = 46) 3. China Financial Certification Authority (CFCA) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 4. E-Tugra - Internet Freedom Score less than 50 (score = 32), Corruption Perceptions Index Score less than 50 (score = 36) 5. eMudhra Technologies Limited - Corruption Perceptions Index Score less than 50 (score = 40) 6. Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 7. Government of Hong Kong (SAR), Hongkong Post, Certizen aka "Hongkong Post" - Internet Freedom Score less than 50, Corruption Perceptions Index Score less than 50 8. Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) aka "TUBITAK" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 9. iTrusChina Co., Ltd. - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 10. Microsec Ltd. - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 11. Netlock - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 12. Shanghai Electronic Certification Authority Co., Ltd. aka "UniTrust" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) I am interested in feedback on using the Internet Freedom Score and Corruption Perceptions Index when considering CAs... Is this check useful? How much should it impact our decisions? Is it only useful when the CA is also closely aligned with a government organization? 13. Actalis - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 14. Atos Trustcenter - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 15. Buypass - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 16. Chunghwa Telecom - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 17. Disig, a.s. - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 18. e-commerce monitoring GmbH - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 19. HARICA - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 20. SwissSign AG - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store I think this concern about auditor only auditing one CA means that we might need to do more due diligence in regards to verifying that auditor's qualifications. Especially when any other items in the Concerning Behaviors list apply to the CA. These are all good questions, and I am very interested to hear feedback from CAs who are currently in Mozilla's program and may be impacted by this list. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b9407f23-c174-4d75-8d4d-1e439408164dn%40mozilla.org.