Did you ever hear from them? On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote:
> All, > March 1 was the scheduled end of public discussion on this matter. > However, I have one unresolved question that I have presented to the CA > operator and its audit firm regarding ACAB'c membership (see MRSP section > 3.2). As soon as I hear back on that question, I'll provide a summary of > the entire discussion here. > Thanks, > Ben > > On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at > wrote: > >> *Preface* >> >> The only thing that changed is the ownership, and the ownership is >> represented by the new management. This only formal change has already been >> notified to the authorities and approved and registered. The rest remains >> unchanged. >> >> e-commerce monitoring GmbH fulfills different trust service requirements >> from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, >> remains a member of the European Trust List (EUTL) as before and is >> permanently monitored by the Austrian Supervisory Body (RTR/TKK) and >> regularly assessed by a Conformity Assessment Body. >> >> The management has changed from Hans G. Zeger to Emmanouil Kontos and >> Markus Kirchmayr. The takeover of the company includes the taking over of >> the existing, trained and trusted staff which results in no changes except >> top management. e-commerce monitoring GmbH continues to provide >> certification and trust services according to the respective policies. >> >> It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme >> Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully >> comply with the Browser/OS Root Store Policies. >> >> >> *Ownership and Governance* >> >> The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of >> e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme >> Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD >> HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und >> Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD >> HOLDINGS AG). >> >> AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries >> in Europe and the USA (please find more details in the prospectus on >> AUSTRIACARD´s website ( >> https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf >> ) >> >> Emmanouil Kontos is the Managing Director of the company and authorized >> to represent the company solely. Markus Kirchmayr is authorized to >> represent the company jointly with Emmanouil Kontos. Both will not take any >> trusted roles in the CA operations. >> >> e-commerce monitoring GmbH is maintaining the Key Management as well as >> the respective roles of Key Manager and Key Custodian through the existing, >> trained and trusted staff >> >> Major decisions regarding finance and management topics are made by the >> Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr >> Major decisions regarding operative topics are made by the Managing >> Director Emmanouil Kontos in consultation with the key manager. The >> decision making structure can be defined as follows: >> >> · Define the problem or decision that needs to be madeGather >> information and options >> >> · Analyze the information and options >> >> · Select the best option >> >> · Plan for implementation >> >> · Implement the plan >> >> >> *Investment and Budget* >> >> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >> classified as “große Kapitalgesellschaft” (large corporation) and therefore >> needs to comply with all regulations of the Austrian GmbHG (limited >> liabilities company Act) and UGB (Commercial Code). >> >> In addition e-commerce monitoring GmbH is therefore part of group of >> companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große >> Kapitalgesellschaft” (large corporation) and in addition is a listed >> company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD >> HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz >> (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). >> >> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with >> over 40 years of experience in providing high security solutions, is >> maintaining an Information Security Management System as part of the ISO >> 27001 framework which is certified and audited on a regular basis. >> Furthermore Austria Card has established security policies and process to >> comply and be certified according other security standards like ISO 14298 >> as well as Payment Card Industry standards PCI CP, PCI DSS and a >> qualification management system according to ISO 9001:2015. >> >> In the interest of fair competition we prefer not to disclose any >> strategic, budget or any other internal confidential information. >> >> >> *Community Engagement* >> >> e-commerce monitoring GmbH is committed to serving a diverse range of >> communities, both locally and globally. Further, we strive to create >> products and services that meet the needs of various demographics. >> Additionally, we prioritize inclusivity and accessibility, ensuring that >> our offerings are accessible to individuals from all walks of life. >> >> e-commerce monitoring GmbH is actively monitoring various legal >> information databases, other sources like Certification Authorities and >> Trust Service Providers portals by ETSI, the websites of CA Browser Forum >> and root store operators as well as participation and exchange of >> information with various industry partners through events and projects. >> >> Additionally, e-commerce monitoring GmbH has established partnerships >> with regulatory institutions, security researchers, certification partners >> as well as customer relations which pro-actively inform e-commerce >> monitoring GmbH regarding significant changes, requirements and risks >> concerning security and compliance throughout the whole Web PKI. >> >> >> *Employees* >> >> e-commerce monitoring GmbH has established policies like “GLOBALTRUST >> Certificate Policy” which continue to apply. >> >> For reference and directions please consult particularly sections 5.2 >> Procedural controls and 5.3 Personnel >> >> >> - Most recent: Version 3.2a / 16th February, 2024 controls >> https://service.globaltrust.eu/static/globaltrust-certificate-policy.pd >> <https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf> >> f >> - Prior: Version 3.2 / 19th August 2023: >> >> https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf >> >> There is no change to the staff in trusted roles. Employees in trusted >> roles remain as they have been. Only the top level management has been >> replaced. We are not able to disclose any background information on >> individuals. Skills and experience have been audited and, in part, are >> known to the Root Program responsible. >> >> e-commerce monitoring GmbH employs personnel with over 30 years of >> experience in cryptography, data protection and in general providing PKI >> technology solutions. >> >> The audited systems implemented by the trusted personnel of e-commerce >> monitoring GmbH are fulfilling different trust service requirements from >> ISO/IEC, eIDAS / ETSI, CAB Forum to root store policies which additionally >> are monitored on a regularly basis both through automated system and manual >> audit processes. >> >> Further, e-commerce monitoring GmbH monitors CA incidents and other >> relevant discussions over the following community groups: >> >> · Bugzilla platform ( >> https://wiki.mozilla.org/CA/Incident_Dashboard) >> >> · dev-security-policy group hosted by Google ( >> https://groups.google.com/a/mozilla.org/g/dev-security-policy) >> >> · CCADB Public group hosted by Google ( >> https://groups.google.com/a/ccadb.org/g/public) >> >> · CAB Forum mailing lists: >> >> o https://lists.cabforum.org/mailman/listinfo/netsec >> >> o https://lists.cabforum.org/mailman/listinfo/public >> >> o https://lists.cabforum.org/mailman/listinfo/smcwg-public >> >> o https://lists.cabforum.org/mailman/listinfo/validation >> >> o https://lists.cabforum.org/mailman/listinfo/servercert-wg >> >> >> *Operational Design and Ongoing GRC Management* >> >> e-commerce monitoring GmbH are designed, built and maintained according >> to the requirements including but not limited to ISO/IEC, eIDAS / ETSI, CAB >> Forum, root store policies as well as the established policies by >> GLOBALTRUST. Additionally, these systems have a continuous audit history >> carried out by qualified accredited bodies. The most recent RootCA >> GLOBALTRUST 2020 has a gapless cradle-to-the-grave audit including a key >> ceremony report and EV readiness attestation. >> >> e-commerce monitoring GmbH maintains extensive public and internal >> documentation which additionally has been presented to and audited by the >> Austrian supervisory body (RTR/TKK). >> >> The audited systems enforce various automated controls and tests >> including but not limited to pre-issuance linting tests utilizing the >> well-known open source tools. >> >> e-commerce monitoring GmbH has implemented automated monitoring systems >> that permanently evaluate the system security parameters, performance, >> availability and the resulting quality KPIs of the trusted services. >> Deviations from the expected quality KPIs trigger the notification and >> remediation process of our trained IT personnel during working hours and >> standby. >> >> Additionally, manual and automated self-audits are carried out on a >> quarterly basis against a random percentage of all issued certificates as >> required. >> >> >> >> *Auditing* >> >> e-commerce monitoring GmbH will continue to be evaluated by the auditor >> “A-SIT Zentrum für sichere Informationstechnologie” – Austria under the >> eIDAS / ETSI audit scheme. >> >> The most recent audit attestation including auditor’s accreditation scope >> and team qualification can be found under the provided URl and follows the >> ACAB-c template in its most recent version: >> https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf >> >> The most recent eIDAS conformity assessment report can be found here: >> https://service.globaltrust.eu/static/conformity-assessment-2023.pdf >> >> Here is a quick bottom-up way to reproduce the auditor's qualifications: >> >> >> - Accreditation scope A-SIT: >> https://akkreditierung-austria.gv.at/overview (see A-SIT) >> - Notification of A-SIT as CAB: (Name “Zentrum für sichere >> Informationstechnologie – Austria“ Acronym: “A-SIT”) >> - Notification of Akkreditierung Austria as NAB: >> https://eidas.ec.europa.eu/efda/browse/notification/cab-nab >> - Accreditation / “Akkreditierung Austria” at EA: >> >> https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ >> >> A-SIT has been recorded as auditor in the CCADB with Audit Firm >> Confidence Status as evaluated by Root Store Managers “High” >> https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH >> <https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH> >> >> >> On Thursday, February 8, 2024 at 1:19:33 PM UTC+1 e-commerce monitoring >> wrote: >> >>> Dear All, >>> >>> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >>> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >>> classified as “große Kapitalgesellschaft” (large corporation) and therefore >>> needs to comply with all regulations of the Austrian GmbHG (limited >>> liabilities company Act) and UGB (Commercial Code). >>> >>> e-commerce monitoring GmbH was taken over as a fully functional and >>> independent entity inside the AUSTRIA CARD group of companies. The >>> certified policies, processes and commitments of e-commerce monitoring GmbH >>> continue to apply. >>> >>> The takeover of the company also includes the taking over of the >>> established staff which results in no changes except top management and >>> e-commerce monitoring GmbH will continue to adhere and operate according to >>> the respective policies. >>> >>> Best regards, >>> Daniel >>> >>> On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote: >>> >>>> Hi Aaron, >>>> >>>> On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable <aa...@letsencrypt.org> >>>> wrote: >>>> >>>>> e-commerce monitoring GmbH currently has multiple open bugzilla >>>>> tickets which have not had any updates from their staff in multiple >>>>> months: >>>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 >>>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004 >>>>> >>>> >>>> Correct - the questions raised by these incidents still need to be >>>> answered. >>>> >>>> >>>>> Does the behavior of the CA being acquired factor into decisions like >>>>> this, or just the behavior of the acquiring entity? >>>>> >>>> >>>> The behavior of the entity being acquired and the capabilities and >>>> history of the acquiring company are relevant, going back for an >>>> unspecified period of time. (Factors to be considered in deciding how far >>>> to go back include the nature and severity of any non-compliance and the >>>> degree to which any incidents reveal persistent, systemic problems.) >>>> >>>> >>>>> If a distrust conversation were to arise in the future, how do root >>>>> programs ensure that bugs filed under previous corporate names are still >>>>> included in the analysis? >>>>> >>>> >>>> We have not experienced a lot of M&A/name-change activity recently. I >>>> believe the Mozilla Community has sufficient continuity, institutional >>>> memory, and community-based knowledge about the history of CA operators. >>>> So, I think this concern can be handled when needed with comments from >>>> community members, and changes in the names of CA operators should not >>>> require that we create a new tracking solution. (If incidents are >>>> sufficiently recent or still have relevance, then we could update the >>>> Bugzilla bugs "Summaries" by replacing the name of the previous operator >>>> with the name of the new entity when there is a name change or CA operator >>>> replacement.) >>>> >>>> Ben >>>> >>>> >>>>> >>>>> Thanks, >>>>> Aaron >>>>> >>>>> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson <bwi...@mozilla.com> wrote: >>>>> >>>>>> Dear Suchan, >>>>>> You make a valid point. However, in this case, I wasn't sure how >>>>>> other root stores would be handling this. They may have their own >>>>>> processes. Also, the distribution on this list is almost 3x greater than >>>>>> on >>>>>> the CCADB public list, so I decided to post the discussion here. >>>>>> If the other root stores want to have a public discussion of this >>>>>> acquisition, then we can start a discussion on CCADB Public, too. >>>>>> Sincerely yours, >>>>>> Ben >>>>>> >>>>>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo <tjt...@gmail.com> wrote: >>>>>> >>>>>>> While not have knowledge to comment about acquire itself, doesn't >>>>>>> this more fit to ccadb mailing list? I thought root store policy about >>>>>>> individual root was moved to there >>>>>>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성: >>>>>>> >>>>>>>> All, >>>>>>>> >>>>>>>> Recently we were advised that e-commerce monitoring GmbH is being >>>>>>>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH. >>>>>>>> >>>>>>>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is >>>>>>>> included in the Mozilla root store. They have advised us of the >>>>>>>> following: >>>>>>>> >>>>>>>> There are no changes to the operation of the CA and RA functions. >>>>>>>> >>>>>>>> Changes to the corporate structure: >>>>>>>> >>>>>>>> - New shareholder: >>>>>>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. >>>>>>>> registered under the number FN 98272v commercial court Vienna >>>>>>>> Lamezanstraße 4-8 >>>>>>>> 1230 Vienna, Austria >>>>>>>> https://www.austriacard.com/ >>>>>>>> >>>>>>>> - New Management >>>>>>>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos >>>>>>>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr >>>>>>>> old: CEO Hans Zeger >>>>>>>> >>>>>>>> - Registered headquarter >>>>>>>> new: Handelskai 388/621, 1020 Vienna, Austria >>>>>>>> old: Redtenbachergasse 20, 1160 Vienna, Austria >>>>>>>> >>>>>>>> According to section 8.1 of the Mozilla Root Store Policy, “If the >>>>>>>> receiving or acquiring company is new to the Mozilla root store, it >>>>>>>> MUST >>>>>>>> demonstrate compliance with the entirety of this policy. There MUST be >>>>>>>> a >>>>>>>> public discussion regarding its admittance to the root store. If >>>>>>>> Mozilla >>>>>>>> reaches a positive conclusion after public discussion, then the >>>>>>>> affected >>>>>>>> certificate(s) MAY remain in the root store.” >>>>>>>> >>>>>>>> By this email, I am initiating a four-week public discussion >>>>>>>> period, scheduled to close on Friday, 1-March-2024, to allow for at >>>>>>>> least >>>>>>>> three full weeks of public discussion. The first week (Feb. 5 – 9) is >>>>>>>> intended to give the acquiring company time to address the following >>>>>>>> topics: >>>>>>>> >>>>>>>> · Compliance with the Mozilla Root Store Policy >>>>>>>> >>>>>>>> · Ownership and governance >>>>>>>> >>>>>>>> · Investment and budget for CA operations, risk management, >>>>>>>> and compliance >>>>>>>> >>>>>>>> · Community engagement and involvement in industry groups >>>>>>>> >>>>>>>> · Employee expertise and continuity >>>>>>>> >>>>>>>> · Operational design and ongoing GRC management >>>>>>>> >>>>>>>> · Auditors and auditing >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Ben Wilson >>>>>>>> >>>>>>>> Mozilla Root Store Program >>>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "dev-secur...@mozilla.org" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to dev-security-po...@mozilla.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com >>>>>> >>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/23c2098c-028b-4dc6-8c6a-80a1a942d344n%40mozilla.org.