On September 12, 2024, we began a six-week, public discussion <https://groups.google.com/a/ccadb.org/g/public/c/gbPfqACMfRw/m/-W2QivT2AQAJ> on the request from D-Trust for inclusion of its root certificates:
- D-TRUST EV Root CA 2 2023 - D-TRUST BR Root CA 2 2023 The public discussion period ended on October 24, 2024. ========================== Summary of Discussion Discussion item #1: Several observations related to D-Trust’s Certificate Problem Report (CPR) process were presented: - The CPR process, which involves downloading and editing a PDF, was described as inconvenient. - It was not clear how D-Trust measures the effectiveness of its CPR process and whether the process discouraged reporting. - It was not clear if D-Trust investigates CPRs submitted without the PDF form. D-Trust Response to Discussion item #1: D-Trust acknowledged the inconvenience and committed to introducing an improved web form by the end of the year. D-Trust believes the process works because they receive CPRs from various parties. They explained that the PDF form helps ensure users provide all relevant information and minimizes spam. D-Trust confirmed they would investigate regardless of the reporting format, but emphasized that the PDF form helps ensure they receive structured and complete information. Discussion item #2: The public raised concerns about D-Trust's potential alignment with the European Signature Dialog's (ESD) positions on certificate validity and browser market share, given the ESD's history of stances perceived as detrimental to the Web PKI ecosystem. Clarification was sought for: - D-Trust's stance on reducing certificate validity periods, asking if they viewed such reductions as anti-competitive or detrimental to security, and - whether D-Trust considers browser market share when evaluating the validity of concerns raised by different browsers. D-Trust Response to Discussion item #2: D-Trust clarified that the former director associated with the ESD was no longer with D-Trust. D-Trust stated that reducing certificate duration is not inherently anti-competitive and that the impact on security depends on the specific circumstances of implementation. D-Trust affirmed that they consider all relevant root program policies equally important. ========================== We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s own inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP). Thank you -Chris, on behalf of the CCADB Steering Committee On Wed, Oct 23, 2024 at 12:27 PM 'Entschew, Enrico' via CCADB Public < [email protected]> wrote: > Hi Mike, > We still think that the questions are not relevant for the process of root > inclusion, but we are happy to assist. Nevertheless, we would like to make > our holistic answers as comprehensive and clear as possible in order to > maximise transparency. We would like to express again that we fulfil all > applicable requirements and will continue to do so in the future. > > *Does D-Trust hold the position that reduction of certificate duration by > a root program is anti-competitive?* > We consider, a reduction in the certificate duration is not inherently > anti-competitive. According to our position, the implications of such a > reduction depend significantly on how it is introduced or enforced by > market participants who hold market-dominant positions. If these > participants leverage their influence in ways that restrict competition or > create unfair advantages for themselves, this may certainly lead to > anti-competitive practices. In procedures in which the interests of all > market participants and the web security are sufficiently taken into > account, we see no anti-competitive problems. > > *Does D-Trust hold the position that reduction of certificate validity has > negative impact on the security of the web PKI?* > We cannot answer this question with a clear yes or no, as the answer > depends heavily on the specific circumstances of the introduction and > subsequent implementation of the reduction of certificate validity. > According to our opinion, factors such as the context in which the measure > is implemented, the actors involved, the resources and the general > framework conditions may play a decisive role and have a significant > influence on the results. > > *Does D-Trust hold the position that browser market share is relevant to > determining the validity or importance of root program positions on matters > of web PKI policy?* > Every relevant root program policy is important to us and is given equal > importance. From our perspective, it needs neutral and unambiguous position. > > *Does D-Trust hold the position that “roll-over” requests are or should be > subject to less scrutiny than those of initial inclusion?* > D-Trust has understood from previous and current discussions that there is > a strong desire among some root store operators to shorten the duration of > root and SubCA certificates. Currently, root certificates are designed to > be used over a longer period of 10 to 15 years. Experience shows that the > root inclusion process takes between one and four years for all relevant > root store operators. It is currently not possible to estimate the exact > duration in advance. > Our understanding is that if root and subCA certificates are to have > significantly shorter durations in the future to promote agility in > cryptography, an optimised onboarding process is required. > We welcome and understand that a very thorough review of the requesting > TSP and the corresponding root certificates is necessary for the initial > integration. However, we are of the opinion that the renewal of an already > included root does not necessarily require an examination comparable or > equal to that of an initial inclusion. The TSP and the already included > roots are already subject to a strict governance regime, which ensures that > the security and reliability requirements are continuously met. In > addition, an application for root inclusion is only submitted to the CCADB > community once it has been proven that all requirements have been met. This > procedure should enable a more efficient and faster integration of root > certificates in the future and at the same time ensure the necessary > security and trustworthiness. > We are convinced that adapting the integration process will not only > improve the competitiveness, but also promote innovation in the field of > publically trusted certificates. > > Thanks, > Enrico > > > ------------------------------ > *Von:* [email protected] <[email protected]> im Auftrag von Mike Shaver < > [email protected]> > *Gesendet:* Samstag, 19. Oktober 2024 15:30 > *An:* Ryan Dickson <[email protected]> > *Cc:* public <[email protected]> > *Betreff:* Re: Public Discussion of D-Trust TLS CA Inclusion Request > > As promised, here are my outstanding unanswered questions about D-Trust’s > position on PKI-related matters: > > - does D-Trust hold the position that reduction of certificate duration by > a root program is anti-competitive? > > - does D-Trust hold the position that reduction of certificate validity > has negative impact on the security of the web PKI? > > - does D-Trust hold the position that browser market share is relevant to > determining the validity or importance of root program positions on matters > of web PKI policy? > > - does D-Trust hold the position that “roll-over” requests are or should > be subject to less scrutiny than those of initial inclusion? > > I would appreciate D-Trust’s responsive replies to these questions, in the > absence of cogent explanation for why these questions are not suitable as > part of discussion of a root’s application for (continued) inclusion. I > would also appreciate the perspective of other members of this community on > the relevance of the questions, as I hold the position that they will be > relevant to future inclusion discussions as well. > > Mike > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsr8w-vmhYBLNypsO4R-Xcv%2BLZPHdOPqPOrnEEoAsLMaQ%40mail.gmail.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsr8w-vmhYBLNypsO4R-Xcv%2BLZPHdOPqPOrnEEoAsLMaQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB2195B3B6C0707EA8372AF3EA864D2%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM > <https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB2195B3B6C0707EA8372AF3EA864D2%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mDP1Mu79R4bYGeY8OOYp1WZo9RYXrkm4r5VyTBdcitS9A%40mail.gmail.com.
