Hi, I was not really familiar with D-Trust, so I did some searching and asking, and I have found something that I would like to raise for consideration.
D-Trust's director, Dr. Kim Nyugen, is an expert member of the European Signature Dialog: https://www.european-signature-dialog.eu/Kim-Nguyen The ESD has very vocally and, in my opinion, misleadingly campaigned against shorter certificate lengths, framing the 90-day proposal (initially Google's, but I supported by other root programs and CAs since then) as "anti-competitive behaviour": https://www.european-signature-dialog.eu/Google_returns_to_anti-competitive_behavior-ESD_26042023.pdf . This document is still prominent on the ESD web site, in spite of the fact that the Bundeskartellamt (Germany's antitrust agency, as I understand it) terminated its administrative proceedings against Google related to this matter, finding in the matter of reduced certificate duration that Overall the security level of the certi-fication process was increased, > from which the internet users and ultimately also the website operators > benefited, as long as the reduction of the validity periods did not > generally affect the purchase of certificates with a higher level of > authentication [ed: OV/EV certificates], for which there is however no > indi-cation. ( https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2022/B7-250-19.html on page 7) The ESD site makes claims about this antitrust agency report that simply do not accord with a clear reading of the case summary. It is difficult to view this in a charitable light. Additionally, in campaigning for EIDAS' possibility for mandatory inclusion of certain roots, which would eliminate browsers' ability to make their own informed trust decisions as they deem best for their users, the ESD cites Mozilla having a small market share as reason for disregarding its (opposed) position: (Note: Mozilla is the only browser who has signed this “industry statement” > – none of the other browsers are included. According to statcounter.com, > Mozilla Firefox has only a 3.0% world market share, down from 30% in prior > years.) https://www.european-signature-dialog.eu/ESD_experts_support_trilogue_Art.45_results-6nov2023.pdf (page 1) We have recently seen, and as a community considered unacceptable, CAs failing to respond appropriately to incidents until one of the "larger" browsers' representatives appeared. Votes in the CAB/F and CCADB are not weighted by market share by either CAs or browsers, and nor should they be. *That* would be ripe for abuse of market power, which is why it's imperative that CAs take all other CAs and browser members equally seriously. This statement puts into serious question how a CA that endorsed the ESD's beliefs would respond to incidents raised by Mozilla or its community. We have seen recently that such incidents and attention can be very important for detecting and reacting to CA malfeasance, and we have seen how another member of this organization (Entrust) indeed displayed this exact behaviour, to the detriment of the web PKI. This document also states without elaboration or supporting evidence that browsers have "abused their monopoly regulatory powers in the past", and describe a 90-day lifetime limitation as being them abusing such power "again". (p4) I have significant concerns about inclusion of a CA whose director shares the beliefs and endorses the practices of this organization. Their policies and advocacy are actively hostile to the integrity of the web PKI, and the governance of the web PKI's institutions. Questions for D-Trust: - does D-Trust, or its director, agree with the positions of the ESD on matters of certificate duration, and the relevance of market share to the validity of different browser positions on web PKI matters? - if not, why does D-Trust remain a member and allow its director to be listed as endorser of this organization? - did D-Trust endorse these positions when they were being established by the ESD, or oppose them? Please provide examples of the positions taken, if opposed. - specifically, does D-Trust feel that reduced certificate duration represents a security hazard, or antitrust concern? What is D-Trust's position on certificate duration as a tool for reducing the impact of misissuance or certificate compromise? - specifically, when does D-Trust feel that it is appropriate to consider browser market share when determining the validity of said browser's position (on policy or an incident)? How would its response differ between a concern raised by Chrome, versus one raised by Mozilla? Thank you in advance for your thorough response, Mike On Thu, Sep 12, 2024 at 9:15 AM 'Ryan Dickson' via CCADB Public < [email protected]> wrote: > All, > > This email commences a six-week public discussion of D-Trust’s request to > include the following certificates as publicly trusted root certificates in > one or more CCADB Root Store Member’s program. This discussion period is > scheduled to close on October 24, 2024. > > The purpose of this public discussion process is to promote openness and > transparency. However, each Root Store makes its inclusion decisions > independently, on its own timelines, and based on its own inclusion > criteria. Successful completion of this public discussion process does not > guarantee any favorable action by any root store. > > Anyone with concerns or questions is urged to raise them on this CCADB > Public list by replying directly in this discussion thread. Likewise, a > representative of the applicant must promptly respond directly in the > discussion thread to all questions that are posted. > > CCADB Case Number: 00001362 > <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001362> > and 00001363 > <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001363> > > Organization Background Information (listed in the CCADB): > > - > > CA Owner Name: D-Trust > - > > Website: https://www.d-trust.net/en > - > > Address: Kommandantenstr. 15, Berlin, 10969, Germany > - > > Problem Reporting Mechanisms: > https://www.d-trust.net/en/support/reporting-certificate-problem > - > > Organization Type: Government Agency > - > > Repository URL: https://www.bundesdruckerei.de/en/Repository > > Certificates Requesting Inclusion: > > > 1. > > D-TRUST EV Root CA 2 2023: > > > - > > Certificate download links: CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_2_2023.crt> / > crt.sh > > <https://crt.sh/?q=8E8221B2E7D4007836A1672F0DCC299C33BC07D316F132FA1A206D587150F1CE> > - > > Use cases served/EKUs: > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > - > > Test websites: > - > > Valid: https://certdemo-ev-valid-rsa.tls.d-trust.net/ > - > > Revoked: https://certdemo-ev-revoked-rsa.tls.d-trust.net/ > - > > Expired: https://certdemo-ev-expired-rsa.tls.d-trust.net/ > - > > Replacement notice: D-Trust has communicated intent to use this > applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 > > <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> > in some root stores, with the replacement taking place approximately on > September 1, 2026. > > > > 2. > > D-TRUST BR Root CA 2 2023: > - > > Certificate download links: CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_2_2023.crt> / > crt.sh > > <https://crt.sh/?q=0552E6F83FDF65E8FA9670E666DF28A4E21340B510CBE52566F97C4FB94B2BD1> > - > > Use cases served/EKUs: > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > - > > Test websites: > - > > Valid: https://certdemo-dv-valid-rsa.tls.d-trust.net/ > - > > Revoked: https://certdemo-dv-revoked-rsa.tls.d-trust.net/ > - > > Expired: https://certdemo-dv-expired-rsa.tls.d-trust.net/ > - > > Replacement notice: D-Trust has communicated intent to use this > applicant root to replace D-TRUST Root Class 3 CA 2 2009 > > <https://crt.sh/?q=49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1> > in some root stores, with the replacement taking place approximately on > September 1, 2026. > > > Existing Publicly Trusted Root CAs from D-Trust: > > 1. > > D-TRUST BR Root CA 1 2020: > - > > Certificate download links: (CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt> / > crt.sh > > <https://crt.sh/?q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044> > ) > - > > Use cases served/EKUs: > > > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > > > - > > Certificate corpus: here > > <https://search.censys.io/search?resource=certificates&q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044%09+and+labels%3Dever-trusted> > (Censys login required) > - > > Included in: Google Chrome, Mozilla > > > 2. > > D-Trust SBR Root CA 1 2022: > - > > Certificate download links: (CA Repository > <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_1_2022.crt> / > crt.sh > > <https://crt.sh/?q=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2> > ) > - > > Use cases served/EKUs: > - > > Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; > - > > Client Authentication 1.3.6.1.5.5.7.3.2; > - > > Document Signing AATL 1.2.840.113583.1.1.5; > - > > Document Signing MS 1.3.6.1.4.1.311.10.3.12 > - > > Certificate corpus: N/A > - > > Included in: Mozilla > 3. > > D-Trust SBR Root CA 2 2022: > - > > Certificate download links: (CA Repository > <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_2_2022.crt> / > crt.sh > > <https://crt.sh/?q=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC> > ) > - > > Use cases served/EKUs: > - > > Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; > - > > Client Authentication 1.3.6.1.5.5.7.3.2; > - > > Document Signing AATL 1.2.840.113583.1.1.5; > - > > Document Signing MS 1.3.6.1.4.1.311.10.3.12 > - > > Certificate corpus: N/A > - > > Included in: Mozilla > 4. > > D-TRUST EV Root CA 1 2020: > - > > Certificate download links: (CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt> / > crt.sh > > <https://crt.sh/?q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB> > ) > - > > Use cases served/EKUs: > > > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > > > - > > Certificate corpus: here > > <https://search.censys.io/search?resource=certificates&q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB+and+labels%3Dever-trusted> > (Censys login required) > - > > Included in: Google Chrome, Mozilla > > > > 5. > > D-TRUST Root CA 3 2013: > - > > Certificate download links: (CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_3_2013.crt> / > crt.sh > > <https://crt.sh/?q=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457> > ) > - > > Use cases served/EKUs: > > > - > > Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; > - > > Client Authentication 1.3.6.1.5.5.7.3.2; > - > > Document Signing AATL 1.2.840.113583.1.1.5; > - > > Document Signing MS 1.3.6.1.4.1.311.10.3.12 > > > - > > Certificate corpus: N/A > - > > Included in: Apple, Microsoft, Mozilla > > > > 6. > > D-TRUST Root Class 3 CA 2 2009: > - > > Certificate download links: (CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt> > / crt.sh > > <https://crt.sh/?q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1> > ) > - > > Use cases served/EKUs: > > > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > > > - > > Certificate corpus: here > > <https://search.censys.io/search?resource=certificates&q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1+and+labels%3Dever-trusted> > (Censys login required) > - > > Included in: Apple, Google Chrome, Microsoft, Mozilla > > > > 7. > > D-TRUST Root Class 3 CA 2 EV 2009: > - > > Certificate download links: (CA Repository > <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_EV_2009.crt> > / crt.sh > > <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> > ) > - > > Use cases served/EKUs: > > > - > > Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; > - > > Client Authentication 1.3.6.1.5.5.7.3.2 > > > - > > Certificate corpus: here > > <https://search.censys.io/search?resource=certificates&q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881+and+labels%3Dever-trusted> > (Censys login required) > - > > Included in: Apple, Google Chrome, Microsoft, Mozilla > > > Relevant Policy and Practices Documentation: > > - > > CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf > - > > CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf > - > > TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf > > Most Recent Self-Assessment: > > - > > https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed > 10/30/2023) > > Audit Statements: > > - > > Auditor: TÜViT - TÜV Informationstechnik GmbH > - > > Audit Criteria: ETSI > - > > Recent Audit Statement(s): > - > > Key Generation > > <https://www.tuev-nord.de/fileadmin/Content/TUEV_NORD_DE/zertifizierung/Zertifikate/en/AA2023062801_D-Trust_Root_Ceremony_2023-05_PIT_V2.0.pdf> > (May 9, 2023) > - > > Standard Audit > > <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_Standard_Audit_V1.0.pdf> > (Period: October 8, 2022 to October 7, 2023) > - > > TLS BR Audit > > <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-BR_Audit_V1.0.pdf> > (Period: October 8, 2022 to October 7, 2023) > - > > TLS EVG Audit > > <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-EV_Audit_V1.0.pdf> > (Period: October 8, 2022 to October 7, 2023) > > Incident Summary (Bugzilla incidents from previous 24 months): > > - > > 1682270 <https://bugzilla.mozilla.org/show_bug.cgi?id=1682270>: > D-TRUST: Private Key Disclosed by Customer as Part of CSR > - > > 1691117 <https://bugzilla.mozilla.org/show_bug.cgi?id=1691117>: > D-TRUST: Certificate with RSA key where modulus is not divisible by 8 > - > > 1756122 <https://bugzilla.mozilla.org/show_bug.cgi?id=1756122>: > D-TRUST: Wrong key usage (Key Agreement) > - > > 1793440 <https://bugzilla.mozilla.org/show_bug.cgi?id=1793440>: > D-TRUST: CRL not DER-encoded > - > > 1861069 <https://bugzilla.mozilla.org/show_bug.cgi?id=1861069>: > D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field > within subject > - > > 1862082 <https://bugzilla.mozilla.org/show_bug.cgi?id=1862082>: > D-Trust: Delay beyond 5 days in revoking misissued certificate > - > > 1879529 <https://bugzilla.mozilla.org/show_bug.cgi?id=1879529>: > D-Trust: "unknown" OCSP response for issued certificates > - > > 1884714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1884714>: > D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access > field > - > > 1891225 <https://bugzilla.mozilla.org/show_bug.cgi?id=1891225>: > D-Trust: Issuance of 15 certificates with incorrect subject attribute order > - > > 1893610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1893610>: > D-Trust: Notice to affected Subscriber and person filing CPR not sent > within 24 hours > - > > 1896190 <https://bugzilla.mozilla.org/show_bug.cgi?id=1896190>: > D-Trust: Issuance of an EV certificate containing a mixup of the Subject's > postalCode and localityName > - > > 1913310 <https://bugzilla.mozilla.org/show_bug.cgi?id=1913310>: > D-Trust: CRL-Entries without required CRL Reason Code > > > Thank you, > > Ryan, on behalf of the CCADB Steering Committee > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqugiYohDjOvVPgBnYPaO6_Mbws2S-0_a-r5pzcngqmATg%40mail.gmail.com.
