Having glanced at e-commerce monitoring GmbH for all of 5 minutes I'd move further and advocate for full removal: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c10
They don't list valid/expired/revoked domains for all of their sub-CAs, and even the ones they do are running on the same wildcard covering: DNS:timestamp.globaltrust.eu DNS:*.globaltrust.eu DNS:*.globaltrust.at DNS:*.globaltrust.info DNS:*.a-cert.at DNS:*.e-monitoring.at See: https://crt.sh/?id=9532011580 This is not a healthy CA in any manner. - Wayne On Friday, May 3, 2024 at 12:05:54 PM UTC+1 Roman Fischer wrote: > Dear Ben, > > > > I’m not sure I understand “A-SIT asserts that it is precluded from > joining the ACAB’c” correctly. Does A-SIT have any confirmation either from > their government sponsor or from ACAB’c that they can’t join? > > > > Rgds > Roman > > > > *From:* 'Ben Wilson' via dev-secur...@mozilla.org < > dev-secur...@mozilla.org> > *Sent:* Dienstag, 30. April 2024 23:15 > *To:* Amir Omidi (aaomidi) <am...@aaomidi.com> > *Cc:* dev-secur...@mozilla.org; regist...@e-monitoring.at < > regist...@e-monitoring.at> > *Subject:* Re: Public Discussion of Acquisition of e-commerce monitoring > GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH > > > > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your insightful perspectives and opinions. > > Thanks, > > Ben > > > > On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) <am...@aaomidi.com> > wrote: > > Did you ever hear from them? > > On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > > All, > > March 1 was the scheduled end of public discussion on this matter. > However, I have one unresolved question that I have presented to the CA > operator and its audit firm regarding ACAB'c membership (see MRSP section > 3.2). As soon as I hear back on that question, I'll provide a summary of > the entire discussion here. > > Thanks, > > Ben > > > > On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at > wrote: > > *Preface* > > The only thing that changed is the ownership, and the ownership is > represented by the new management. This only formal change has already been > notified to the authorities and approved and registered. The rest remains > unchanged. > > e-commerce monitoring GmbH fulfills different trust service requirements > from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, > remains a member of the European Trust List (EUTL) as before and is > permanently monitored by the Austrian Supervisory Body (RTR/TKK) and > regularly assessed by a Conformity Assessment Body. > > The management has changed from Hans G. Zeger to Emmanouil Kontos and > Markus Kirchmayr. The takeover of the company includes the taking over of > the existing, trained and trusted staff which results in no changes except > top management. e-commerce monitoring GmbH continues to provide > certification and trust services according to the respective policies. > > It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully > comply with the Browser/OS Root Store Policies. > > > > *Ownership and Governance* > > The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of > e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD > HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und > Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD > HOLDINGS AG). > > AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries > in Europe and the USA (please find more details in the prospectus on > AUSTRIACARD´s website ( > https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf > ) > > Emmanouil Kontos is the Managing Director of the company and authorized to > represent the company solely. Markus Kirchmayr is authorized to represent > the company jointly with Emmanouil Kontos. Both will not take any trusted > roles in the CA operations. > > e-commerce monitoring GmbH is maintaining the Key Management as well as > the respective roles of Key Manager and Key Custodian through the existing, > trained and trusted staff > > Major decisions regarding finance and management topics are made by the > Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr > Major decisions regarding operative topics are made by the Managing > Director Emmanouil Kontos in consultation with the key manager. The > decision making structure can be defined as follows: > > · Define the problem or decision that needs to be madeGather > information and options > > · Analyze the information and options > > · Select the best option > > · Plan for implementation > > · Implement the plan > > > > *Investment and Budget* > > e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA > CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is > classified as “große Kapitalgesellschaft” (large corporation) and therefore > needs to comply with all regulations of the Austrian GmbHG (limited > liabilities company Act) and UGB (Commercial Code). > > In addition e-commerce monitoring GmbH is therefore part of group of > companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große > Kapitalgesellschaft” (large corporation) and in addition is a listed > company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD > HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz > (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). > > AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with > over 40 years of experience in providing high security solutions, is > maintaining an Information Security Management System as part of the ISO > 27001 framework which is certified and audited on a regular basis. > Furthermore Austria Card has established security policies and process to > comply and be certified according other security standards like ISO 14298 > as well as Payment Card Industry standards PCI CP, PCI DSS and a > qualification management system according to ISO 9001:2015. > > In the interest of fair competition we prefer not to disclose any > strategic, budget or any other internal confidential information. > > > > *Community Engagement* > > e-commerce monitoring GmbH is committed to serving a diverse range of > communities, both locally and globally. Further, we strive to create > products and services that meet the needs of various demographics. > Additionally, we prioritize inclusivity and accessibility, ensuring that > our offerings are accessible to individuals from all walks of life. > > e-commerce monitoring GmbH is actively monitoring various legal > information databases, other sources like Certification Authorities and > Trust Service Providers portals by ETSI, the websites of CA Browser Forum > and root store operators as well as participation and exchange of > information with various industry partners through events and projects. > > Additionally, e-commerce monitoring GmbH has established partnerships with > regulatory institutions, security researchers, certification partners as > well as customer relations which pro-actively inform e-commerce monitoring > GmbH regarding significant changes, requirements and risks concerning > security and compliance throughout the whole Web PKI. > > > > *Employees* > > e-commerce monitoring GmbH has established policies like “GLOBALTRUST > Certificate Policy” which continue to apply. > > For reference and directions please consult particularly sections 5.2 > Procedural controls and 5.3 Personnel > > - Most recent: Version 3.2a / 16th February, 2024 controls > https://service.globaltrust.eu/static/globaltrust-certificate-policy.pd > <https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf> > f > - Prior: Version 3.2 / 19th August 2023: > > https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf > > There is no change to the staff in trusted roles. Employees in trusted > roles remain as they have been. Only the top level management has been > replaced. We are not able to disclose any background information on > individuals. Skills and experience have been audited and, in part, are > known to the Root Program responsible. > > e-commerce monitoring GmbH employs personnel with over 30 years of > experience in cryptography, data protection and in general providing PKI > technology solutions. > > The audited systems implemented by the trusted personnel of e-commerce > monitoring GmbH are fulfilling different trust service requirements from > ISO/IEC, eIDAS / ETSI, CAB Forum to root store policies which additionally > are monitored on a regularly basis both through automated system and manual > audit processes. > > Further, e-commerce monitoring GmbH monitors CA incidents and other > relevant discussions over the following community groups: > > · Bugzilla platform ( > https://wiki.mozilla.org/CA/Incident_Dashboard) > > · dev-security-policy group hosted by Google ( > https://groups.google.com/a/mozilla.org/g/dev-security-policy) > > · CCADB Public group hosted by Google ( > https://groups.google.com/a/ccadb.org/g/public) > > · CAB Forum mailing lists: > > o https://lists.cabforum.org/mailman/listinfo/netsec > > o https://lists.cabforum.org/mailman/listinfo/public > > o https://lists.cabforum.org/mailman/listinfo/smcwg-public > > o https://lists.cabforum.org/mailman/listinfo/validation > > o https://lists.cabforum.org/mailman/listinfo/servercert-wg > > > > *Operational Design and Ongoing GRC Management* > > e-commerce monitoring GmbH are designed, built and maintained according to > the requirements including but not limited to ISO/IEC, eIDAS / ETSI, CAB > Forum, root store policies as well as the established policies by > GLOBALTRUST. Additionally, these systems have a continuous audit history > carried out by qualified accredited bodies. The most recent RootCA > GLOBALTRUST 2020 has a gapless cradle-to-the-grave audit including a key > ceremony report and EV readiness attestation. > > e-commerce monitoring GmbH maintains extensive public and internal > documentation which additionally has been presented to and audited by the > Austrian supervisory body (RTR/TKK). > > The audited systems enforce various automated controls and tests including > but not limited to pre-issuance linting tests utilizing the well-known open > source tools. > > e-commerce monitoring GmbH has implemented automated monitoring systems > that permanently evaluate the system security parameters, performance, > availability and the resulting quality KPIs of the trusted services. > Deviations from the expected quality KPIs trigger the notification and > remediation process of our trained IT personnel during working hours and > standby. > > Additionally, manual and automated self-audits are carried out on a > quarterly basis against a random percentage of all issued certificates as > required. > > > > *Auditing* > > e-commerce monitoring GmbH will continue to be evaluated by the auditor > “A-SIT Zentrum für sichere Informationstechnologie” – Austria under the > eIDAS / ETSI audit scheme. > > The most recent audit attestation including auditor’s accreditation scope > and team qualification can be found under the provided URl and follows the > ACAB-c template in its most recent version: > https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf > > The most recent eIDAS conformity assessment report can be found here: > https://service.globaltrust.eu/static/conformity-assessment-2023.pdf > > Here is a quick bottom-up way to reproduce the auditor's qualifications: > > - Accreditation scope A-SIT: > https://akkreditierung-austria.gv.at/overview (see A-SIT) > - Notification of A-SIT as CAB: (Name “Zentrum für sichere > Informationstechnologie – Austria“ Acronym: “A-SIT”) > - Notification of Akkreditierung Austria as NAB: > https://eidas.ec.europa.eu/efda/browse/notification/cab-nab > - Accreditation / “Akkreditierung Austria” at EA: > > https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ > > A-SIT has been recorded as auditor in the CCADB with Audit Firm Confidence > Status as evaluated by Root Store Managers “High” > https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH > <https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH> > > > > On Thursday, February 8, 2024 at 1:19:33 PM UTC+1 e-commerce monitoring > wrote: > > Dear All, > > > > e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA > CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is > classified as “große Kapitalgesellschaft” (large corporation) and therefore > needs to comply with all regulations of the Austrian GmbHG (limited > liabilities company Act) and UGB (Commercial Code). > > > e-commerce monitoring GmbH was taken over as a fully functional and > independent entity inside the AUSTRIA CARD group of companies. The > certified policies, processes and commitments of e-commerce monitoring GmbH > continue to apply. > > The takeover of the company also includes the taking over of the > established staff which results in no changes except top management and > e-commerce monitoring GmbH will continue to adhere and operate according to > the respective policies. > > Best regards, > Daniel > > On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote: > > Hi Aaron, > > > > On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable <aa...@letsencrypt.org> wrote: > > e-commerce monitoring GmbH currently has multiple open bugzilla tickets > which have not had any updates from their staff in multiple months: > - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 > > - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004 > > > > Correct - the questions raised by these incidents still need to be > answered. > > > > Does the behavior of the CA being acquired factor into decisions like > this, or just the behavior of the acquiring entity? > > > > The behavior of the entity being acquired and the capabilities and history > of the acquiring company are relevant, going back for an unspecified period > of time. (Factors to be considered in deciding how far to go back include > the nature and severity of any non-compliance and the degree to which any > incidents reveal persistent, systemic problems.) > > > > If a distrust conversation were to arise in the future, how do root > programs ensure that bugs filed under previous corporate names are still > included in the analysis? > > > > We have not experienced a lot of M&A/name-change activity recently. I > believe the Mozilla Community has sufficient continuity, institutional > memory, and community-based knowledge about the history of CA operators. > So, I think this concern can be handled when needed with comments from > community members, and changes in the names of CA operators should not > require that we create a new tracking solution. (If incidents are > sufficiently recent or still have relevance, then we could update the > Bugzilla bugs "Summaries" by replacing the name of the previous operator > with the name of the new entity when there is a name change or CA operator > replacement.) > > > > Ben > > > > > > Thanks, > > Aaron > > > > On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson <bwi...@mozilla.com> wrote: > > Dear Suchan, > > You make a valid point. However, in this case, I wasn't sure how other > root stores would be handling this. They may have their own processes. > Also, the distribution on this list is almost 3x greater than on the CCADB > public list, so I decided to post the discussion here. > > If the other root stores want to have a public discussion of this > acquisition, then we can start a discussion on CCADB Public, too. > > Sincerely yours, > > Ben > > > > On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo <tjt...@gmail.com> wrote: > > While not have knowledge to comment about acquire itself, doesn't this > more fit to ccadb mailing list? I thought root store policy about > individual root was moved to there > > 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성: > > All, > > Recently we were advised that e-commerce monitoring GmbH is being acquired > by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH. > > e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is > included in the Mozilla root store. They have advised us of the following: > > There are no changes to the operation of the CA and RA functions. > > Changes to the corporate structure: > > - New shareholder: > AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. > registered under the number FN 98272v commercial court Vienna > Lamezanstraße 4-8 > 1230 Vienna, Austria > https://www.austriacard.com/ > > - New Management > new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos > new: Attorney ("Prokurist") Mr. Markus Kirchmayr > old: CEO Hans Zeger > > - Registered headquarter > new: Handelskai 388/621, 1020 Vienna, Austria > old: Redtenbachergasse 20, 1160 Vienna, Austria > > According to section 8.1 of the Mozilla Root Store Policy, “If the > receiving or acquiring company is new to the Mozilla root store, it MUST > demonstrate compliance with the entirety of this policy. There MUST be a > public discussion regarding its admittance to the root store. If Mozilla > reaches a positive conclusion after public discussion, then the affected > certificate(s) MAY remain in the root store.” > > By this email, I am initiating a four-week public discussion period, > scheduled to close on Friday, 1-March-2024, to allow for at least three > full weeks of public discussion. The first week (Feb. 5 – 9) is intended to > give the acquiring company time to address the following topics: > > · Compliance with the Mozilla Root Store Policy > > · Ownership and governance > > · Investment and budget for CA operations, risk management, and > compliance > > · Community engagement and involvement in industry groups > > · Employee expertise and continuity > > · Operational design and ongoing GRC management > > · Auditors and auditing > > Thanks, > > Ben Wilson > > Mozilla Root Store Program > > -- > You received this message because you are subscribed to the Google Groups " > dev-secur...@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-po...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > dev-secur...@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-po...@mozilla.org. > > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZE51OAWRd3rf3_pFi01HOZgb__sTU0GXwr5%2BJfhqQ%2BRg%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZE51OAWRd3rf3_pFi01HOZgb__sTU0GXwr5%2BJfhqQ%2BRg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a5928cc9-23d4-4ab2-a639-291b74dd8ca9n%40mozilla.org.