date:20210202

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

2021-02-02 Thread Ben Wilson via dev-security-policy

On January 11, 2021, we began the public discussion period [Step 4 of the
Mozilla Root Store CA Application Process
] for the
above-referenced GlobalSign
inclusion request.

*Summary of Discussion and Completion of Action Items [Steps 5-8]:*

Recently, Ryan Sleevi noted that GlobalSign is transitioning to a better
Root CA hierarchy with single-purpose roots.  This will lead to less risk
due to fewer cross-dependencies from other uses of PKI. He also noted that
GlobalSign has improved the quality of its incident reporting and
remediation.  I agree on both of these points.

While GlobalSign currently has six matters open in Bugzilla, none of these
should be a reason to delay approval of this inclusion request.

1591005  – the
relevant issuing CAs have been revoked (nearly closed, waiting on a final
key destruction report)

1649937  - Incorrect
OCSP Delegated Responder Certificate issue - GlobalSign ceased including
the OCSP signing EKU in any newly generated issuing CA (approximately 10
remaining issuing CAs affected by issue are on schedule to be revoked)

1651447  –  Delayed
CA revocation, per issue # 1649937 above (GlobalSign is switching over from
old to newer infrastructure, as described in this and other bugs)

1664328  - SHA-256
hash algorithm used with ECC P-384 key (almost closed, status update needed)

1667944  – Empty
SingleExtension in OCSP responses (migration to new OCSP responders nearly
completed)

1668007  – Country
name in stateOrProvinceName field (almost closed, status update needed)

This is notice that I am closing public discussion [Step 9] and that it is
Mozilla’s intent to approve GlobalSign's request for inclusion [Step 10].

This begins a 7-day “last call” period for any final objections.

Thanks,

Ben

On Mon, Feb 1, 2021 at 10:18 AM Ben Wilson  wrote:

> This is a reminder that I will close discussion on this tomorrow.
>
> On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson  wrote:
>
>> This is to announce the beginning of the public discussion phase of the
>> Mozilla root CA inclusion process for GlobalSign.
>>
>> See https://wiki.mozilla.org/CA/Application_Process#Process_Overview,
>> (Steps 4 through 9).
>>
>> GlobalSign has four (4) new roots to include in the root store.  Two
>> roots, one RSA and another ECC, are to support server authentication
>> (Bugzilla Bug # 1570724
>> ) while two other
>> roots are for email authentication, RSA and ECC (Bugzilla Bug # 1637269
>> ).
>>
>> Mozilla is considering approving GlobalSign’s request(s). This email
>> begins the 3-week comment period, after which, if no concerns are raised,
>> we will close the discussion and the request may proceed to the approval
>> phase (Step 10).
>>
>> *A Summary of Information Gathered and Verified appears here in these two
>> CCADB cases:*
>>
>>
>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0469
>>
>>
>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0596
>>
>> *Root Certificate Information:*
>>
>> *GlobalSign Root R46 *
>>
>> crt.sh -
>> https://crt.sh/?q=4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9
>>
>> Download - https://secure.globalsign.com/cacert/rootr46.crt
>>
>> *GlobalSign Root E46*
>>
>> crt.sh -
>> https://crt.sh/?q=CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058
>>
>> Download - https://secure.globalsign.com/cacert/roote46.crt
>>
>> *GlobalSign Secure Mail Root R45 *
>>
>> crt.sh -
>> https://crt.sh/?q=319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974
>>
>> Download - https://secure.globalsign.com/cacert/smimerootr45.crt
>>
>> *GlobalSign Secure Mail Root E45 *
>>
>> crt.sh -
>> https://crt.sh/?q=5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19
>>
>> Download - https://secure.globalsign.com/cacert/smimeroote45.crt
>>
>>
>> *CP/CPS:*
>>
>> https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.6_final.pdf
>>
>> The current GlobalSign CPS is version 9.6, published 29-December-2020.
>>
>> Repository location: https://www.globalsign.com/en/repository
>>
>> *BR Self-Assessment* (Excel) is located here:
>>
>> https://bugzilla.mozilla.org/attachment.cgi?id=9082310
>>
>> *Audits:*  GlobalSign is audited annually in accordance with the
>> WebTrust criteria by Ernst & Young, Belgium, which found in June 2020 that
>> “throughout the period April 1, 2019 to March 31, 2020, GlobalSign
>> management’s assertion, as referred to above, is fairly stated, in all
>> material respects, in

Re: Audit Reminders for Intermediate Certs

2021-02-02 Thread Kathleen Wilson via dev-security-policy


 Forwarded Message 
Subject: Summary of February 2021 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 2 Feb 2021 15:00:16 + (GMT)


CA Owner: SECOM Trust Systems CO., LTD.
   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
90EE548EBACACAB40207A61A378CE186B94D24AE7C55BFC83065EA96072E2B38

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
11A27671872265445CB7258EB2844EE614D14777B9F6F73BE9532122F21FAD0D

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
04C1871C68607515389FA3B0CFB83DBE6A4AF05E8C80E745702969F240606E36

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
927E9BFC0D75C3146070C3F3AFDD4A2C10F765289124997CC52CFD1209E763CB

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
21C066332D6B92DD9A253E2637684A5BC3E31357F863BED7A2F98C8459A33B62

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
659B7A518C6C9EB18AA1EB35AEBA7A0247817B898C1FA1840F97D2877D9A20E4

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019





CA Owner: Amazon Trust Services
   - Certificate Name: Amazon
SHA-256 Fingerprint: 
F55F9FFCB83C73453261601C7E044DB15A0F034B93C05830F28635EF889CF670

Standard Audit Period End Date (mm/dd/): 10/31/2019
BR Audit Period End Date (mm/dd/): 10/31/2019

   - Certificate Name: Amazon
SHA-256 Fingerprint: 
4A1FF6BBF481170D3B773CEC1F3A84DE3B5096575CDBF8B08432209318CA0FBD

Standard Audit Period End Date (mm/dd/): 10/31/2019
BR Audit Period End Date (mm/dd/): 10/31/2019






___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

Re: Audit Reminders for Intermediate Certs

2 matches

Site Navigation

Mail list logo

Footer information