Dear all, Regarding „CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store”, I’d like to point out that we need to make sure that we have a common understanding what “CA’S auditor” means. Is it a person, a company? Is that entity just currently not auditing other public trusted CAs but did so in the past (how long ago) or did the auditors maybe work for a different audit company that -did- audits on other public trusted CAs… ?
The current wording would also exclude new auditors from ever doing their first audit of a public trusted CA… 😉 I think what we all want and expect is that the auditors are experienced, know the regulations they have to audit against and have some understanding of what “good practice” as CA must show. Kind regards Roman From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> On Behalf Of Kathleen Wilson Sent: Montag, 13. Februar 2023 19:59 To: dev-security-policy@mozilla.org Cc: ku...@seifried.org <k...@seifried.org>; Steve Keller <kellerst...@proton.me> Subject: Re: DRAFT: Root Inclusion Considerations On Friday, February 10, 2023 at 12:29:54 PM UTC-8 ku...@seifried.org<mailto:ku...@seifried.org> wrote: FYI at least one person is being blocked from posting to the list properly for reasons unknown. On Fri, Feb 10, 2023 at 11:04 AM Steve Keller <kellerst...@proton.me<mailto:kellerst...@proton.me>> wrote: Unfortunately it won't let me post. I don't see why it would be harmful to ask the community to double-check my work to make sure that I'm not misunderstanding the new requirements? As far as I can tell, there's a number of CAs currently rooted that are already engaging in Concerning Behavior, but maybe I'm misunderstanding something or Mozilla doesn't like that question? Steve will need to: "Subscribe by sending email to: dev-security-policy+subscr...@mozilla.org<mailto:dev-security-policy%2bsubscr...@mozilla.org>. Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected." Only members can post to this group, otherwise this group would receive a lot of spam. What happens to the CAs engaging in "Concerning Behavior" that currently have their root certificates in Mozilla's root store? Concerning Behavior: "The following situations are concerning and in aggregate..." So concern would be raised when a collection (several) of the main bullet points happen. Mozilla states: > If the CA operator currently has root certificates in Mozilla's root store, > then Mozilla may remove those root certificates or set them to be distrusted > after a specified date. How much Concerning Behavior would a CA need to engage in before their root certificates were removed? When several of the concerning behaviors exist, then we need to look more closely at the CA and do a risk versus value assessment of the CA. Just a quick review of all the currently included CAs in Mozilla's root store and it seems that these CAs are already engaging in Concerning Behavior according to the recently announced considerations: 1. Agence Nationale de Certification Electronique - Corruption Perceptions Index Score less than 50 (score = 40) 2. certSIGN - Corruption Perceptions Index Score less than 50 (score = 46) 3. China Financial Certification Authority (CFCA) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 4. E-Tugra - Internet Freedom Score less than 50 (score = 32), Corruption Perceptions Index Score less than 50 (score = 36) 5. eMudhra Technologies Limited - Corruption Perceptions Index Score less than 50 (score = 40) 6. Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 7. Government of Hong Kong (SAR), Hongkong Post, Certizen aka "Hongkong Post" - Internet Freedom Score less than 50, Corruption Perceptions Index Score less than 50 8. Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) aka "TUBITAK" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 9. iTrusChina Co., Ltd. - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) 10. Microsec Ltd. - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 11. Netlock - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 12. Shanghai Electronic Certification Authority Co., Ltd. aka "UniTrust" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45) I am interested in feedback on using the Internet Freedom Score and Corruption Perceptions Index when considering CAs... Is this check useful? How much should it impact our decisions? Is it only useful when the CA is also closely aligned with a government organization? 13. Actalis - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 14. Atos Trustcenter - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 15. Buypass - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 16. Chunghwa Telecom - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 17. Disig, a.s. - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 18. e-commerce monitoring GmbH - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 19. HARICA - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store 20. SwissSign AG - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store I think this concern about auditor only auditing one CA means that we might need to do more due diligence in regards to verifying that auditor's qualifications. Especially when any other items in the Concerning Behaviors list apply to the CA. These are all good questions, and I am very interested to hear feedback from CAs who are currently in Mozilla's program and may be impacted by this list. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b9407f23-c174-4d75-8d4d-1e439408164dn%40mozilla.org<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2Fb9407f23-c174-4d75-8d4d-1e439408164dn%2540mozilla.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C93f03ef0bdf44048d9f408db0df4515d%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638119115228296850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=20VbGNRrNeTbN5WKFQQ0SFFfTH7KbphcynXSpDmLI1U%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB056256574A0BFF4CDA1B28BAFAA29%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.