Hi Mike, Thanks for your statement.
Thanks, Enrico Von: Mike Shaver <[email protected]> Gesendet: Samstag, 5. Oktober 2024 19:44 An: George <[email protected]> Cc: Entschew, Enrico <[email protected]>; 'Amir Omidi' via CCADB Public <[email protected]>; Sahin, Leyla (D-Trust) <[email protected]>; Amir Omidi <[email protected]>; Ryan Dickson <[email protected]> Betreff: Re: AW: Public Discussion of D-Trust TLS CA Inclusion Request Yeah, this raises a point that I think should perhaps be explicit in the BRs: how onerous is a CA allowed to make the CPR process, and do they have a responsibility to respond to CPRs submitted in other “generally acceptable” ways? If they become aware of an issue with certificates through other means, should they treat it equally in terms of incident response? For example, if a CA was validating CAA records in ways that contradicted the language of their CPS, and was informed of this through informal back-channels, should they still open an incident report for the benefit of the community? Put another way: should the CPR process be optimized for the ease of the CA, or the ease of the reporter (who acts IMO on behalf of relying parties)? My opinion on this is probably not hard to guess. Mike On Sat, Oct 5, 2024 at 1:32 PM 'George' via CCADB Public <[email protected]<mailto:[email protected]>> wrote: Hi Enrico, If someone reported a certificate problem to the relevant email address without also including the PDF form, would D-Trust still investigate the issue? I don't see how the PDF provides much more value than other CAs who simply provide an email address on its own. Thanks, George. On Sat, Oct 5, 2024 at 17:44, 'Entschew, Enrico' via CCADB Public <[email protected]<mailto:On+Sat,+Oct+5,+2024+at+17:44,+'Entschew,+Enrico'+via+CCADB+Public+%3C%3Ca+href=>> wrote: Hi Amir, Leyla is on sick leave. Therefore I’ll take over for her. We understand that the current CPR process is not convenient but it fulfills all requirements and worked so far as needed. We are in the process of creating an improved version of the CPR process which will be introduced as a web form by the end of the year. Thanks, Enrico ________________________________ Von: 'Amir Omidi' via CCADB Public <[email protected]<mailto:[email protected]>> Gesendet: Samstag, 5. Oktober 2024 01:27 An: Sahin, Leyla (D-Trust) <[email protected]<mailto:[email protected]>> Cc: public <[email protected]<mailto:[email protected]>>; Ryan Dickson <[email protected]<mailto:[email protected]>> Betreff: Re: Public Discussion of D-Trust TLS CA Inclusion Request So, it’s been definitely more than a week. Not remembering your public commitments does not inspire confidence. I think if you’re having these types of mistakes this early on, root programs should not welcome you into their trust stores. On Fri, Sep 13, 2024 at 06:16 Sahin, Leyla < [email protected]<mailto:[email protected]>> wrote: Dear Amir, Thank you for your comment. We will review this and come back to you by the end of next week. Greetings, Leyla Von: 'Amir Omidi' via CCADB Public <[email protected]<mailto:[email protected]>> Gesendet: Donnerstag, 12. September 2024 16:17 An: Ryan Dickson <[email protected]<mailto:[email protected]>> Cc: public <[email protected]<mailto:[email protected]>> Betreff: Re: Public Discussion of D-Trust TLS CA Inclusion Request The CPR process ( https://www.d-trust.net/en/support/reporting-certificate-problem) seems quite annoying. Downloading and editing a PDF just to send a CPR is a bit too much. On Thu, Sep 12, 2024 at 09:15 'Ryan Dickson' via CCADB Public <[email protected]<mailto:[email protected]>> wrote: All, This email commences a six-week public discussion of D-Trust’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on October 24, 2024. The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted. CCADB Case Number: 00001362<https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001362> and 00001363<https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001363> Organization Background Information (listed in the CCADB): • CA Owner Name: D-Trust • Website: https://www.d-trust.net/en • Address: Kommandantenstr. 15, Berlin, 10969, Germany<https://www.google.com/maps/search/Kommandantenstr.+15,+Berlin,+10969,+Germany?entry=gmail&source=g> • Problem Reporting Mechanisms: https://www.d-trust.net/en/support/reporting-certificate-problem • Organization Type: Government Agency • Repository URL: https://www.bundesdruckerei.de/en/Repository Certificates Requesting Inclusion: 1. D-TRUST EV Root CA 2 2023: o Certificate download links: CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_2_2023.crt> / crt.sh<https://crt.sh/?q=8E8221B2E7D4007836A1672F0DCC299C33BC07D316F132FA1A206D587150F1CE> o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 • Client Authentication 1.3.6.1.5.5.7.3.2 o Test websites: • Valid: https://certdemo-ev-valid-rsa.tls.d-trust.net/ • Revoked: https://certdemo-ev-revoked-rsa.tls.d-trust.net/ • Expired: https://certdemo-ev-expired-rsa.tls.d-trust.net/ o Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009<https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> in some root stores, with the replacement taking place approximately on September 1, 2026. 2. D-TRUST BR Root CA 2 2023: o Certificate download links: CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_2_2023.crt> / crt.sh<https://crt.sh/?q=0552E6F83FDF65E8FA9670E666DF28A4E21340B510CBE52566F97C4FB94B2BD1> o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 • Client Authentication 1.3.6.1.5.5.7.3.2 o Test websites: • Valid: https://certdemo-dv-valid-rsa.tls.d-trust.net/ • Revoked: https://certdemo-dv-revoked-rsa.tls.d-trust.net/ • Expired: https://certdemo-dv-expired-rsa.tls.d-trust.net/ o Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 2009<https://crt.sh/?q=49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1> in some root stores, with the replacement taking place approximately on September 1, 2026. Existing Publicly Trusted Root CAs from D-Trust: 1. D-TRUST BR Root CA 1 2020: o Certificate download links: (CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt> /crt.sh<https://crt.sh/?q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044>) o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 • Client Authentication 1.3.6.1.5.5.7.3.2 o Certificate corpus: here<https://search.censys.io/search?resource=certificates&q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044%09+and+labels%3Dever-trusted> (Censys login required) o Included in: Google Chrome, Mozilla 2. D-Trust SBR Root CA 1 2022: o Certificate download links: (CA Repository<http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_1_2022.crt> / crt.sh<https://crt.sh/?q=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2>) o Use cases served/EKUs: • Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; • Client Authentication 1.3.6.1.5.5.7.3.2; • Document Signing AATL 1.2.840.113583.1.1.5; • Document Signing MS 1.3.6.1.4.1.311.10.3.12 o Certificate corpus: N/A o Included in: Mozilla 3. D-Trust SBR Root CA 2 2022: o Certificate download links: (CA Repository<http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_2_2022.crt> / crt.sh<https://crt.sh/?q=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC>) o Use cases served/EKUs: • Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; • Client Authentication 1.3.6.1.5.5.7.3.2; • Document Signing AATL 1.2.840.113583.1.1.5; • Document Signing MS 1.3.6.1.4.1.311.10.3.12 o Certificate corpus: N/A o Included in: Mozilla 4. D-TRUST EV Root CA 1 2020: o Certificate download links: (CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt> / crt.sh<https://crt.sh/?q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB>) o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 • Client Authentication 1.3.6.1.5.5.7.3.2 o Certificate corpus: here<https://search.censys.io/search?resource=certificates&q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB+and+labels%3Dever-trusted> (Censys login required) o Included in: Google Chrome, Mozilla 5. D-TRUST Root CA 3 2013: o Certificate download links: (CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_3_2013.crt> / crt.sh<https://crt.sh/?q=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457>) o Use cases served/EKUs: • Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; • Client Authentication 1.3.6.1.5.5.7.3.2; • Document Signing AATL 1.2.840.113583.1.1.5; • Document Signing MS 1.3.6.1.4.1.311.10.3.12 o Certificate corpus: N/A o Included in: Apple, Microsoft, Mozilla 6. D-TRUST Root Class 3 CA 2 2009: o Certificate download links: (CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt> / crt.sh<https://crt.sh/?q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1>) o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; • Client Authentication 1.3.6.1.5.5.7.3.2 o Certificate corpus: here<https://search.censys.io/search?resource=certificates&q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1+and+labels%3Dever-trusted> (Censys login required) o Included in: Apple, Google Chrome, Microsoft, Mozilla 7. D-TRUST Root Class 3 CA 2 EV 2009: o Certificate download links: (CA Repository<https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_EV_2009.crt> / crt.sh<https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881>) o Use cases served/EKUs: • Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; • Client Authentication 1.3.6.1.5.5.7.3.2 o Certificate corpus: here<https://search.censys.io/search?resource=certificates&q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881+and+labels%3Dever-trusted> (Censys login required) o Included in: Apple, Google Chrome, Microsoft, Mozilla Relevant Policy and Practices Documentation: • CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf • CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf • TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf Most Recent Self-Assessment: • https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed 10/30/2023) Audit Statements: • Auditor: TÜViT - TÜV Informationstechnik GmbH • Audit Criteria: ETSI • -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB21956A781BE592F8F5F8BA9186782%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM.
