Thanks for your feedback. Currently, our proposed strategy for handling this particular issue will be to postpone processing the websites trust bit removal from the Chunghwa Telecom ePKI Root CA by two or three months (until approximately Firefox Release 141 <https://whattrainisitnow.com/release/?version=141>). In other words, we do not anticipate using the distrust-after mechanism in the present case. Thanks again, Ben
On Wed, Apr 9, 2025 at 9:55 AM Jeffrey Walton <[email protected]> wrote: > On Tue, Apr 1, 2025 at 11:03 AM 'Ben Wilson' via > [email protected] <[email protected]> > wrote: > > > > Per - https://bugzilla.mozilla.org/show_bug.cgi?id=1891438#c15: > > > > "In the interest of transparency, Mozilla received a formal request from > Taiwan’s Ministry of Digital Affairs (MODA), dated March 15, 2025, > requesting that we delay the removal of the “websites” trust bit for > Chunghwa Telecom’s ePKI Root CA, which is currently scheduled to occur on > or about April 15, 2025, in accordance with Mozilla’s Root CA Lifecycles > Transition Schedule. > > > > MODA explained that the requested delay is intended to support the > ongoing transition of government websites away from certificates issued by > CHT’s GTLSCA-G1 subordinate CA. As we understand it, MODA is already > implementing a short-term migration plan involving the dual issuance of > approximately 12,000 new certificates for government websites—one from > Chunghwa Telecom and one from Taiwan CA (TWCA)—to ensure continued > availability of government services and minimize user disruption. > > > > While we have not yet finalized a decision, we are currently > contemplating: > > > > Postponing the removal of the “websites” trust bit; > > Implementing a distrust-after date; or > > Taking other actions consistent with Mozilla Root Store Policy and > ecosystem risk management. > > > > We note that: > > > > The ePKI Root CA uses a 4096-bit RSA key, which provides stronger > security than other similarly aged root certificates. > > Any extension under consideration would be strictly time-bounded (e.g., > not to exceed August 1, 2025), reflecting a short-term accommodation, not a > change in long-term policy direction. > > Mozilla would retain the right to remove or revoke trust at any time, > based on new information or evolving risk factors. > > > > We welcome feedback on any of these approaches." > > Please consider avoiding the DistrustAfter strategy. It causes > problems for tools which use Google, Mozilla (and friends) curated > lists of trusted CAs. The tools include utilities like cURL and Wget. > See, for example, <https://github.com/curl/curl/issues/15547>. > > Jeff > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJdx7bnQA2oa%3DVqqW3m3CAwk_LL_ZDTsd%3Dj-ve2ZACPA%40mail.gmail.com.
