I understand that the period for discussion has closed, but I'd like to offer my $0.02 anyway.
I find the incident response in https://bugzilla.mozilla.org/show_bug.cgi?id=1825780 both lacking in detail, and adversarial in nature. Telekom's response to this incident makes me weary of accepting them into the pool of CAs. > We determined that the validation of the de-domains could be trusted because the validation was carried out in a secure process directly with DENIC, i.e. the central registry for all de-domains. I'm worried that this shows a pattern of internal behavior that is at odds with public trust and being a public CA. And a set of behavior that ignores the accepted methods for domain validation. Thanks, Amir On Wednesday, December 6, 2023 at 9:56:38 AM UTC-5 Chris Clements wrote: > All, > > This is a reminder that the public discussion period on the inclusion > application of Deutsche Telekom Security GmbH will close on Wednesday, > December 13, 2023. > > Thank you, > -Chris, on behalf of the CCADB Steering Committee > > On Mon, Nov 6, 2023 at 2:51 AM <[email protected]> wrote: > >> Hi Moudrick, >> >> >> >> yes, these Root-CAs that are the subject of this Root Inclusion Request >> are fully managed by Deutsche Telekom Security GmbH. >> >> >> >> Greetings >> >> >> >> Stefan >> >> >> >> *Von:* Moudrick M. Dadashov <[email protected]> >> *Gesendet:* Freitag, 3. November 2023 20:50 >> *An:* Kirch, Stefan <[email protected]>; [email protected] >> *Cc:* FMB TrustCenter-Roots <[email protected]> >> *Betreff:* RE: AW: Public Discussion of Deutsche Telekom Security CA >> Inclusion Request >> >> >> >> Thank you, Stefan. >> >> >> >> Do I understand correctly that, despite of the organisational structure >> and the relationship between the group members, this CA is fully managed by >> Deutsche Telekom Security GmbH? >> >> >> >> Thanks, >> >> M.D. >> >> >> >> Sent from my Galaxy >> >> >> >> >> >> -------- Original message -------- >> >> From: [email protected] >> >> Date: 11/2/23 15:29 (GMT+02:00) >> >> To: [email protected] >> >> Cc: [email protected] >> >> Subject: AW: Public Discussion of Deutsche Telekom Security CA Inclusion >> Request >> >> >> >> Hi, >> >> >> >> For our answer we assume that "Deutsche Telekom AG" is meant rather than >> "Deutsche Telekom GmbH" (such a company does not exist). >> >> The relationship is as follows: >> >> - Deutsche Telekom AG is the Group’s parent company >> >> - Deutsche Telekom Security GmbH is a 100% subsidiary of Deutsche Telekom >> AG >> >> - T-Systems International GmbH is a 100% subsidiary of Deutsche Telekom AG >> >> >> >> With regard to the publicly trusted certificates, T-Systems International >> GmbH was the owner of the Root CA certificates as well as the operator of >> all Sub CAs of the Deutsche Telekom Group until 2020. >> >> With the establishment of Deutsche Telekom Security GmbH in 2020, >> ownership of the Root CAs as well as operation of the Sub CAs of the >> Deutsche Telekom Group were transferred internally from T-Systems >> International GmbH to Deutsche Telekom Security GmbH. >> >> As the transfer also included all employees concerned, and operations >> continued at the same physical locations under the same conditions, the >> change mainly only took place on paper, with the name "T-Systems >> International GmbH" being replaced by "Deutsche Telekom Security GmbH" in >> the relevant documents and contracts. >> >> >> >> Regarding the change of the Root ownership see also >> >> >> https://groups.google.com/g/mozilla.dev.security.policy/c/pOu_jWY0SVY/m/2uLyuK4TAwAJ >> >> >> >> >> >> Greetings >> >> >> >> Stefan >> >> >> >> *Von:* [email protected] <[email protected]> *Im Auftrag von *Moudrick M. >> Dadashov >> *Gesendet:* Mittwoch, 1. November 2023 19:39 >> *An:* Ryan Dickson <[email protected]>; public <[email protected]> >> *Betreff:* RE: Public Discussion of Deutsche Telekom Security CA >> Inclusion Request >> >> >> >> Thank you. I’m trying to understand the organisational structure of the >> applicant. >> >> >> >> Could someone please introduce us the relationship between Deutsche >> Telekom GmbH, Deutsche Telekom Security GmbH and T-Systems International >> GmbH? >> >> >> >> Specifically I’m interested to understand their roles within the CA >> operations. >> >> >> >> Thanks, >> >> M.D. >> >> >> >> >> >> Sent from my Galaxy >> >> >> >> >> >> -------- Original message -------- >> >> From: 'Ryan Dickson' via CCADB Public <[email protected]> >> >> Date: 11/1/23 15:08 (GMT+02:00) >> >> To: public <[email protected]> >> >> Subject: Public Discussion of Deutsche Telekom Security CA Inclusion >> Request >> >> >> >> All, >> >> >> >> This email commences a six-week public discussion of Deutsche Telekom >> Security’s request to include the following CA certificates as publicly >> trusted root certificates in one or more CCADB Root Store Member’s program. >> This discussion period is scheduled to close on *December 13, 2023*. >> >> >> >> The purpose of this public discussion process is to promote openness and >> transparency. However, each Root Store makes its inclusion decisions >> independently, on its own timelines, and based on its own inclusion >> criteria. Successful completion of this public discussion process does not >> guarantee any favorable action by any root store. >> >> >> >> Anyone with concerns or questions is urged to raise them on this CCADB >> Public list by replying directly in this discussion thread. Likewise, a >> representative of the applicant must promptly respond directly in the >> discussion thread to all questions that are posted. >> >> >> >> *CCADB Case Number: *00001269 >> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001269> >> >> >> >> *Organization Background Information (listed in CCADB):* >> >> · *CA Owner Name:*Deutsche Telekom Security GmbH >> >> · *Website: *https://www.telesec.de/ >> >> · *Address: *Untere Industriestrasse 20, Netphen, 57250 Germany >> >> · *Problem Reporting Mechanisms: * >> https://www.telesec.de/en/kontakt-en >> >> · *Organization Type: *Private Corporation >> >> o Deutsche Telekom Security is a subsidiary of Deutsche Telekom AG >> >> · *Repository URL: >> https://www.telesec.de/en/service/downloads/pki-repository/ >> <https://www.telesec.de/en/service/downloads/pki-repository/>* >> >> >> >> *Certificates Requesting Inclusion:* >> >> *1.* *Telekom Security SMIME ECC Root 2021:* >> >> o Certificate download links: (CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_SMIME_ECC_Root_2021.cer>, >> >> crt.sh >> <https://crt.sh/?sha256=3AE6DF7E0D637A65A8C81612EC6F9A142F85A16834C10280D88E707028518755> >> ) >> >> o Use cases served/EKUs: >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >> >> o Test websites: N/A (S/MIME CA) >> >> >> >> *2.* *Telekom Security TLS ECC Root 2020: * >> >> o Certificate download links: (CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_ECC_Root_2020.cer>, >> >> crt.sh >> <https://crt.sh/?sha256=578AF4DED0853F4E5998DB4AEAF9CBEA8D945F60B620A38D1A3C13B2BC7BA8E1> >> ) >> >> o Use cases served/EKUs: >> >> § Server Authentication 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o Test websites: >> >> § Valid: https://active.tstlser20.test.telesec.de/ >> >> § Revoked:https://revoked.tstlser20.test.telesec.de/ >> >> § Expired: https://expired.tstlser20.test.telesec.de/ >> >> >> >> *3.* *Telekom Security SMIME RSA Root 2023:* >> >> o Certificate download links: (CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_SMIME_RSA_Root_2023.cer>, >> >> crt.sh >> <https://crt.sh/?sha256=78A656344F947E9CC0F734D9053D32F6742086B6B9CD2CAE4FAE1A2E4EFDE048> >> ) >> >> o Use cases served/EKUs: >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o Test websites: N/A (S/MIME CA) >> >> >> >> *4.* *Telekom Security TLS RSA Root 2023:* >> >> o Certificate download links: (CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_RSA_Root_2023.cer>, >> >> crt.sh >> <https://crt.sh/?sha256=EFC65CADBB59ADB6EFE84DA22311B35624B71B3B1EA0DA8B6655174EC8978646> >> ) >> >> o Use cases served/EKUs: >> >> § Server Authentication 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o Test websites: >> >> § Valid: https://active.tstlsrr23.test.telesec.de/ >> >> § Revoked: https://revoked.tstlsrr23.test.telesec.de/ >> >> § Expired: https://expired.tstlsrr23.test.telesec.de/ >> >> >> >> *Existing Publicly Trusted Root CAs from Deutsche Telekom Security:* >> >> *1.* *T-TeleSec GlobalRoot Class 2:* >> >> o Certificate download links: CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/T-TeleSec_GlobalRoot_Class_2.cer>, >> >> crt.sh >> <https://crt.sh/?q=91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552> >> >> o Use cases served/EKUs: >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o Certificate Corpus: here >> <https://search.censys.io/search?resource=certificates&q=parsed.extensions.authority_key_id%3A+bf5920360079a0a0226b8cd5f261d2b82ccb824a> >> >> (requires Censys account) >> >> o Included in: Apple, Chrome, Microsoft, Mozilla >> >> *2.* *T-TeleSec GlobalRoot Class 3:* >> >> o Certificate download links: CA Repository >> <https://www.telesec.de/assets/downloads/PKI-Repository/T-TeleSec_GlobalRoot_Class_3.cer>, >> >> crt.sh >> <https://crt.sh/?q=FD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD> >> >> o Use cases served/EKUs: >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o Certificate Corpus: here >> <https://search.censys.io/search?resource=certificates&q=parsed.extensions.authority_key_id%3A+b503f7763b61826a12aa1853eb032194bffececa> >> >> (requires Censys account) >> >> o Included in: Apple, Chrome, Microsoft, Mozilla >> >> >> >> *Relevant Policy and Practices Documentation: * >> >> · Certificate Policy - v. 4.0 (Sept. 1, 2023), >> https://www.telesec.de/assets/downloads/PKI-Repository/Telekom-Security-CP-EN-V4.0.pdf >> >> >> · Certification Practices Statement - v. 6.0 (Sept. 1, 2023), >> https://www.telesec.de/assets/downloads/PKI-Repository/Telekom-Security-CPS-Public-EN-V6.0.pdf >> >> >> >> >> *Most Recent Self-Assessment:* >> >> · >> https://www.telesec.de/assets/downloads/2023-08-28_Telekom_Security_CCADB_Self_Assessment_Framework_v1.2.xlsx >> >> >> >> >> *Audit Statements:* >> >> · Auditor: TÜV Informationstechnik GmbH >> >> · Audit Criteria: ETSI EN 319 411-1 V1.3.1 (2021-05); ETSI EN 319 >> 411-2, V2.4.1 (2021-11) >> >> · Date of Audit Letter Issuance: June 21, 2023 >> >> · For Period of Time: April 8, 2022, through April 7, 2023 >> >> · Audit Statement(s): >> >> o >> https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023062101_Telekom_Security_2023_V1.0.pdf >> >> >> >> *Incident Summary (Bugzilla incidents from previous 24 months):* >> >> · Improper use of a domain validation method (Bugzilla Bug >> #1825780 <https://bugzilla.mozilla.org/show_bug.cgi?id=1825780>) >> >> >> >> >> >> Thanks, >> >> Ryan, on behalf of the CCADB Steering Committee >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_%3DkLcjqCLTj-XsBzVt94JgD0zA-HYfx9G711QVEr6HYQ%40mail.gmail.com >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_%3DkLcjqCLTj-XsBzVt94JgD0zA-HYfx9G711QVEr6HYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/65429b46.050a0220.5dfd6.649f%40mx.google.com >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/65429b46.050a0220.5dfd6.649f%40mx.google.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB1506278DF4FD5DE3D887974FFAA6A%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB1506278DF4FD5DE3D887974FFAA6A%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB15064D740925362E1595C9A7FAAAA%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB15064D740925362E1595C9A7FAAAA%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/966a7400-592f-44d9-9bc4-e596f8f5bd26n%40ccadb.org.
