Sorry, I forgot to post one case https://www.relialabtest.com it is the hierarchy I mentioned. On Thursday, April 10, 2025 at 12:36:03 AM UTC+8 Arabella Barks wrote:
> Ben, > > I still suggest adopting the distrust-after. > Among the root intermediates that Mozilla plans to remove trust, there is > the "AAA Certificates Servies" of Sectigo CA, which is being widely issued > and used by a subordinate CA of Cloudflare, namely "Cloudflare TLS Issuing > ECC CA 1" (https://crt.sh/?caid=282054, and issued by "SSL.com TLS > Transit ECC CA R2"). However, SSL.com TLS Transit ECC CA R2 is just a > subordinate CA and not a Root. > > If Mozilla directly removes the "AAA Certificates Servies" and others, > more than 12,435,053 websites issued by "Cloudflare TLS Issuing ECC CA 1" > will be affected, It has bad impact on the business of CloudFlare's > customers. > The above is what I have found out through about few minutes of research, > based on the sites count and I think it will have a gravity impact. > > I request the community to conduct an assessment to reduce this impact. > On Thursday, April 10, 2025 at 12:10:21 AM UTC+8 Ben Wilson wrote: > >> Thanks for your feedback. Currently, our proposed strategy for handling >> this particular issue will be to postpone processing the websites trust bit >> removal from the Chunghwa Telecom ePKI Root CA by two or three months >> (until approximately Firefox Release 141 >> <https://whattrainisitnow.com/release/?version=141>). In other words, we >> do not anticipate using the distrust-after mechanism in the present case. >> Thanks again, >> Ben >> >> On Wed, Apr 9, 2025 at 9:55 AM Jeffrey Walton <[email protected]> wrote: >> >>> On Tue, Apr 1, 2025 at 11:03 AM 'Ben Wilson' via >>> [email protected] <[email protected]> >>> wrote: >>> > >>> > Per - https://bugzilla.mozilla.org/show_bug.cgi?id=1891438#c15: >>> > >>> > "In the interest of transparency, Mozilla received a formal request >>> from Taiwan’s Ministry of Digital Affairs (MODA), dated March 15, 2025, >>> requesting that we delay the removal of the “websites” trust bit for >>> Chunghwa Telecom’s ePKI Root CA, which is currently scheduled to occur on >>> or about April 15, 2025, in accordance with Mozilla’s Root CA Lifecycles >>> Transition Schedule. >>> > >>> > MODA explained that the requested delay is intended to support the >>> ongoing transition of government websites away from certificates issued by >>> CHT’s GTLSCA-G1 subordinate CA. As we understand it, MODA is already >>> implementing a short-term migration plan involving the dual issuance of >>> approximately 12,000 new certificates for government websites—one from >>> Chunghwa Telecom and one from Taiwan CA (TWCA)—to ensure continued >>> availability of government services and minimize user disruption. >>> > >>> > While we have not yet finalized a decision, we are currently >>> contemplating: >>> > >>> > Postponing the removal of the “websites” trust bit; >>> > Implementing a distrust-after date; or >>> > Taking other actions consistent with Mozilla Root Store Policy and >>> ecosystem risk management. >>> > >>> > We note that: >>> > >>> > The ePKI Root CA uses a 4096-bit RSA key, which provides stronger >>> security than other similarly aged root certificates. >>> > Any extension under consideration would be strictly time-bounded >>> (e.g., not to exceed August 1, 2025), reflecting a short-term >>> accommodation, not a change in long-term policy direction. >>> > Mozilla would retain the right to remove or revoke trust at any time, >>> based on new information or evolving risk factors. >>> > >>> > We welcome feedback on any of these approaches." >>> >>> Please consider avoiding the DistrustAfter strategy. It causes >>> problems for tools which use Google, Mozilla (and friends) curated >>> lists of trusted CAs. The tools include utilities like cURL and Wget. >>> See, for example, <https://github.com/curl/curl/issues/15547>. >>> >>> Jeff >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c0794245-c1c8-417c-a40e-a7154a4720d2n%40mozilla.org.
