Adding Distrust-After Date columns to CCADB reports

[Kathleen Wilson via dev-security-policy]

All,

I have been asked to add two columns to the following CCADB reports.

Columns to add:
1) Distrust for TLS After Date
2) Distrust for S/MIME After Date

Reports to update:
1) https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
2) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportCSVFormat
3) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV


I think it makes most sense to insert the new columns between the "Trust 
Bits" and "EV Policy OID(s)" columns, but I realize that could break 
things for folks who are using a CSV version of the report.


Please let me know if you are aware of particular hardship that will be 
caused if I insert the two columns, rather than adding them to the end.


Also, let me know if there are other CCADB reports that you would like 
these two columns added to.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Adding Distrust-After Date columns to CCADB reports

[Kathleen Wilson via dev-security-policy]

While we're at it we're going to update the date format in the reports 
to -MM-DD.



On 8/4/20 9:06 AM, Kathleen Wilson wrote:
No concerns have been raised, so we will proceed with the inserting the 
new columns between the "Trust Bits" and "EV Policy OID(s)" columns.


On 7/29/20 11:11 AM, Kathleen Wilson wrote:

All,

I have been asked to add two columns to the following CCADB reports.

Columns to add:
1) Distrust for TLS After Date
2) Distrust for S/MIME After Date

Reports to update:
1) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
2) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportCSVFormat 

3) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV 



I think it makes most sense to insert the new columns between the 
"Trust Bits" and "EV Policy OID(s)" columns, but I realize that could 
break things for folks who are using a CSV version of the report.


Please let me know if you are aware of particular hardship that will 
be caused if I insert the two columns, rather than adding them to the 
end.


Also, let me know if there are other CCADB reports that you would like 
these two columns added to.


Thanks,
Kathleen




___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Adding Distrust-After Date columns to CCADB reports

[Kathleen Wilson via dev-security-policy]

No concerns have been raised, so we will proceed with the inserting the 
new columns between the "Trust Bits" and "EV Policy OID(s)" columns.


On 7/29/20 11:11 AM, Kathleen Wilson wrote:

All,

I have been asked to add two columns to the following CCADB reports.

Columns to add:
1) Distrust for TLS After Date
2) Distrust for S/MIME After Date

Reports to update:
1) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
2) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportCSVFormat 

3) 
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV 



I think it makes most sense to insert the new columns between the "Trust 
Bits" and "EV Policy OID(s)" columns, but I realize that could break 
things for folks who are using a CSV version of the report.


Please let me know if you are aware of particular hardship that will be 
caused if I insert the two columns, rather than adding them to the end.


Also, let me know if there are other CCADB reports that you would like 
these two columns added to.


Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of August 2020 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 4 Aug 2020 14:00:25 + (GMT)


CA Owner: Government of Taiwan, Government Root Certification Authority 
(GRCA)

   - Certificate Name: 行政院工商憑證管理中心 (MOEACA)
SHA-256 Fingerprint: 
90FFC5150CE0535069E7E5EF961E4047FB0861A140732C8CEDC7E8D58EB59BD1

Standard Audit Period End Date (mm/dd/): 03/31/2019
BR Audit Period End Date (mm/dd/): 03/31/2019

   - Certificate Name: 行政院內政部憑證管理中心 (MOICA)
SHA-256 Fingerprint: 
45111450FB31EF5137E4B7CFF9EE2BEF23E8BBFD165086DFBD93DF2F329B785E

Standard Audit Period End Date (mm/dd/): 03/31/2019
BR Audit Period End Date (mm/dd/): 03/31/2019

   - Certificate Name: 行政院醫事憑證管理中心 (HCA)
SHA-256 Fingerprint: 
A05EE43E556C8C2A38766D0377FB486806D169EA195E69CD873381D8EAB7DFCD

Standard Audit Period End Date (mm/dd/): 03/31/2019


Comments on Government Root Certification Authority - Taiwan:
CKA_NSS_SERVER_DISTRUST_AFTER set to 9/19/2019 in NSS 3.53, Firefox 78.
https://bugzilla.mozilla.org/show_bug.cgi?id=1621159



CA Owner: Asseco Data Systems S.A. (previously Unizeto Certum)
   - Certificate Name: UCA Global G2 Root
SHA-256 Fingerprint: 
C1AFC65B1E813B0E6146E6AA5341681272ABE9A38D59F7BD1B27B729834A0D9C

Standard Audit Period End Date (mm/dd/): 04/30/2019
BR Audit Period End Date (mm/dd/): 04/30/2019






___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

CCADB Updates August 20-24: Policy Document Objects

[Kathleen Wilson via dev-security-policy]

All,

Currently CCADB only allows for one CP URL and one CPS URL per root 
certificate, so we are updating the CCADB to enable many-to-many mapping 
between policy documents and root certificates. One or more policy 
documents may be provided and associated with one or more root 
certificates and policy OIDs. Screenshots showing the changes are here:


https://docs.google.com/document/d/1bhlCSLhdAfLa1J-ek7N3jupLRE630XOjqeNaMQ9lSsU/edit?usp=sharing

We intend to migrate the changes to production August 20 to 24. You 
should be able to use the CCADB during this update, which will impact: 
CA Owner, Root Certificate, Audit Case, Root Inclusion Case.


There will be a one-time migration from existing fields to new Policy 
Document objects.


If you run into problems with the CCADB from August 20 to August 24, 
please try again later. If you run into problems with the CCADB after 
August 24, please send an email to supp...@ccadb.org.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of July 2020 Outdated Audit Statements for Intermediate 
Certs

Date: Tue, 7 Jul 2020 14:00:11 + (GMT)


CA Owner: Government of Taiwan, Government Root Certification Authority 
(GRCA)

   - Certificate Name: 行政院工商憑證管理中心 (MOEACA)
SHA-256 Fingerprint: 
90FFC5150CE0535069E7E5EF961E4047FB0861A140732C8CEDC7E8D58EB59BD1

Standard Audit Period End Date (mm/dd/): 03/31/2019
BR Audit Period End Date (mm/dd/): 03/31/2019

   - Certificate Name: 行政院內政部憑證管理中心 (MOICA)
SHA-256 Fingerprint: 
45111450FB31EF5137E4B7CFF9EE2BEF23E8BBFD165086DFBD93DF2F329B785E

Standard Audit Period End Date (mm/dd/): 03/31/2019
BR Audit Period End Date (mm/dd/): 03/31/2019

   - Certificate Name: 行政院醫事憑證管理中心 (HCA)
SHA-256 Fingerprint: 
A05EE43E556C8C2A38766D0377FB486806D169EA195E69CD873381D8EAB7DFCD

Standard Audit Period End Date (mm/dd/): 03/31/2019


Comments on Government Root Certification Authority - Taiwan:
CKA_NSS_SERVER_DISTRUST_AFTER set to 9/19/2019 in NSS 3.53, Firefox 78.
https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Email trust bit disabled in NSS 3.54, Firefox 79.
https://bugzilla.mozilla.org/show_bug.cgi?id=1621151


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Verifying Auditor Qualifications

[Kathleen Wilson via dev-security-policy]

On 6/24/20 8:48 PM, Ryan Sleevi wrote:

On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


I have updated the following section of the wiki page to incorporate
feedback that I received from representatives of ACAB'c.


https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications

I will greatly appreciate it if those of you familiar with ETSI audits
will review it and provide feedback.



I would suggest that, for the time being, ACAB’c isn’t a shortcut. I
realize that means more work for Mozilla, and broadly for the industry, but
it might provide an opportunity for ACAB’c to focus on whether the goal is
to support eIDAS audit schemes and accreditation, or whether it is to
provide browsers equivalent confidence and focused collaboration in the way
the WebTrust TF had engaged in. That isn’t to suggest the auditors might
not also provide eIDAS audits, but it seems a real missed opportunity for
auditors to more proactively engage and ensure needs like Mozilla’s are met.


I have added the following sentence to the top of the Simplified Check 
section:
IMPORTANT: At this time, this check may only be used as a preliminary 
check, and the Standard Check must also be completed.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Verifying Auditor Qualifications

[Kathleen Wilson via dev-security-policy]

I have updated the following section of the wiki page to incorporate 
feedback that I received from representatives of ACAB'c.


https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications

I will greatly appreciate it if those of you familiar with ETSI audits 
will review it and provide feedback.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of June 2020 Audit Reminder Emails
Date: Tue, 16 Jun 2020 19:00:31 + (GMT)


Mozilla: Audit Reminder
CA Owner: Shanghai Electronic Certification Authority Co., Ltd. (SHECA)
Root Certificates:
   UCA Extended Validation Root
   UCA Global G2 Root
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230630

Standard Audit Period End Date: 2019-04-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230631

BR Audit Period End Date: 2019-04-30
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230632

EV Audit Period End Date: 2019-04-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Atos
Root Certificates:
   Atos TrustedRoot 2011**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-D4601883F55A11E9B50B005056A04F41-_v2%5BdownloadKey%5D=ebe97140cee29a7c498ca32f1d76cc2143a5a383%5Baction%5D=downloadDocument=f86244b64421ebaad940

Standard Audit Period End Date: 2019-04-28
BR Audit: 
https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-D4601883F55A11E9B50B005056A04F41-_v2%5BdownloadKey%5D=ebe97140cee29a7c498ca32f1d76cc2143a5a383%5Baction%5D=downloadDocument=f86244b64421ebaad940

BR Audit Period End Date: 2019-04-28
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Sectigo
Root Certificates:
   COMODO RSA Certification Authority
   USERTrust ECC Certification Authority
   AAA Certificate Services
   AddTrust Class 1 CA Root
   AddTrust External CA Root
   COMODO Certification Authority
   COMODO ECC Certification Authority
   USERTrust RSA Certification Authority
Standard Audit: 
https://bug1472993.bmoattachments.org/attachment.cgi?id=9078178

Standard Audit Period End Date: 2019-03-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231163

BR Audit Period End Date: 2019-03-31
BR Audit:
BR Audit Period End Date:
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231164

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert)
Root Certificates:
   EC-ACC
Standard Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-2%20PSC-CAOC_v4.pdf

Standard Audit Period End Date: 2019-03-28
BR Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-CAOC_v4.pdf

BR Audit Period End Date: 2019-03-28
CA Comments: null



Mozilla: Audit Reminder
CA Owner: GlobalSign
Root Certificates:
   GlobalSign
   GlobalSign
   GlobalSign
   GlobalSign Root CA
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231566

Standard Audit Period End Date: 2019-03-31
BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=9112465
BR Audit Period End Date: 2019-03-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231568

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Spain, Autoritat de Certificació de la Comunitat 
Valenciana (ACCV)

Root Certificates:
   ACCVRAIZ1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232656

Standard Audit Period End Date: 2019-04-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232657

BR Audit Period End Date: 2019-04-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Taiwan, Government Root Certification Authority 
(GRCA)

Root Certificates:
   Government Root Certification Authority - Taiwan
Standard Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_XCA_WTCA_Audit_Report_2019.pdf

Standard Audit Period End Date: 2019-03-31
BR Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_BR_Audit_Report_2019.pdf

BR Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: HARICA
Root Certificates:
   Hellenic Academic and Research Institutions RootCA 2011
   Hellenic Academic and Research Institutions ECC RootCA 2015
   Hellenic Academic and Research Institutions RootCA 2015
Standard Audit: 
https://repo.harica.gr/documents/HARICA-AUDIT_ATTESTATION_W_ANNEX_290617-7-R2-AA-text.pdf

Standard Audit Period End Date: 2019-03-29
BR Audit: 
https://repo.harica.gr/documents/HARICA-AUDIT_ATTESTATION_W_ANNEX_290617-7-R2-AA-text.pdf

BR Audit Period End Date: 2019-03-29
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Telia Company (formerly TeliaSonera)
Root Certificates:
   Sonera Class2 CA
   TeliaSonera Root CA v1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231161

Standard Audit 

Re: DRAFT May 2020 CA Communication/Survey

[Kathleen Wilson via dev-security-policy]

Based on the survey results, we (Ben and I) have recommended the 
following updates to the Browser Alignment Ballot. (currently in draft 
form here:  https://github.com/sleevi/cabforum-docs/pull/10)


1) For the following changes proposed in the ballot, we have recommended 
that the effective date be on September 30, 2020.


- OCSP requirements (OCSP must be supported, validity interval for OCSP 
response more explicitly defined, revocationReason required)

- CRL updates (reasonCode required)
-- The change regarding the OCSP and CRL updates is already in progress 
here:

https://github.com/sleevi/cabforum-docs/commit/1e59ed6bc3f1411b28ecafc3ee41b293903cd755

- Certificate Policies (MUST contain at least one CA/Browser Forum 
defined-policy OID.)

-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/80ea02a31b29d614b843d119a6c022652840c806

- Name Encoding Rules (Byte-for-byte Identical Issuer and Subject 
Distinguished Names)

-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/91125b8fbc1b56abea7783f63b915ba09ca799de


2) Restrict the second part of the Name Encoding Rules (Byte-for-byte 
Identical Issuer and Subject Distinguished Names) changes to subCAs.

-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/91125b8fbc1b56abea7783f63b915ba09ca799de


3) (No Change, just explanation) Mozilla’s approach to adding the 
certificate validity period reduction to our root store policy would 
normally have included a public discussion in 
mozilla.dev.security.policy. In the survey, CAs all indicated that they 
will be following this new requirement anyways for compatibility 
reasons. So we are OK with it remaining in this ballot.



Any further discussion about the Browser Alignment Ballot should 
continue in the CA/Browser Forum Server Certificate Working Group or in 
GitHub.


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Verifying Auditor Qualifications

[Kathleen Wilson via dev-security-policy]

On 6/4/20 1:25 AM, Arvid Vermote wrote:

Hi Kathleen

Related to the below it would be helpful if the WebTrust organization would 
disclose additional details on the licensed WebTrust practitioners: right now 
there is no data publicly available on historical WebTrust auditor licensing. 
We don't know as of when an auditor has been licensed and as far as I am aware 
there is no overview of auditors that did not renew, withdrew or had their 
license revoked. Having such a list would certainly help CAs in the auditor 
selection process and better monitoring of auditor qualifications.

The Dutch NAB has an excellent inventory of their suspensions and withdrawals 
of accreditations: 
https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think 
everyone would benefit from the WebTrust task force / CPA Canada maintaining a 
similar public inventory.

Thanks

Arvid



Hi Arvid,

Your message has been forwarded to WebTrust and CPA Canada folks.

Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

[Kathleen Wilson via dev-security-policy]

On 6/4/20 11:17 AM, Ben Wilson wrote:

Having received no further comments, I have recommended approval of this
request in bug 1445364


- Ben




To clarify, Ben is recommending approval of the request to include the 
e-Szigno Root CA 2017 certificate and enable the websites trust bit.


However, he has recommended that we deny the request for EV treatment 
for both root certificates. Microsec may re-apply by filing a new 
request for EV treatment after they have demonstrated improved 
compliance with the BRs and EV Guidelines.


Reference: 
https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/yLTkQ25uAAAJ


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Verifying Auditor Qualifications

[Kathleen Wilson via dev-security-policy]

All,

It recently came to my attention that I need to be more diligent in 
verifying auditor qualifications. Therefore, we have added a field in 
the CCADB called “Date Qualifications Verified” (on Auditor Location 
objects), which will be used to remind root store operators to check 
each auditor’s qualifications every year. This field can only be edited 
by a root store operator, and we will enter this date whenever we 
confirm that the auditor is still qualified to perform ETSI or WebTrust 
audits.


Some of you may notice that your Audit Case or Root Inclusion Case has 
the message: “Auditor Verification Date is blank”. This warning message 
is intended to remind root store operators that we need to verify the 
auditor's qualifications. In the future you may also notice a warning 
message when the date in that field is over a year old, reminding us 
root store operators to re-verify the auditor's qualifications.


I will greatly appreciate your input on the following new wiki page 
section, especially in regards to verifying auditor qualifications.


https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of June 2020 Outdated Audit Statements for Intermediate 
Certs

Date:   Tue, 2 Jun 2020 14:00:11 + (GMT)

intermediate certs chaining up to root certs in Mozilla's program.>




___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of July 2020 Audit Reminder Emails
Date: Tue, 21 Jul 2020 19:00:13 + (GMT)


Mozilla: Audit Reminder
CA Owner: eMudhra Technologies Limited
Root Certificates:
   emSign Root CA - C1
   emSign ECC Root CA - C3
   emSign ECC Root CA - G3
   emSign Root CA - G1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=234195

Standard Audit Period End Date: 2019-05-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=234196

BR Audit Period End Date: 2019-05-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=234204

EV Audit Period End Date: 2019-05-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Actalis
Root Certificates:
   Actalis Authentication Root CA**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.actalis.it/documenti-en/actalisca_audit_statement_2019.aspx

Standard Audit Period End Date: 2019-05-31
BR Audit: 
https://www.actalis.it/documenti-en/actalisca_audit_statement_2019.aspx

BR Audit Period End Date: 2019-05-31
EV Audit: 
https://www.actalis.it/documenti-en/actalisca_audit_statement_2019.aspx

EV Audit Period End Date: 2019-05-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Disig, a.s.
Root Certificates:
   CA Disig Root R2**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: https://eidas.disig.sk/pdf/Audit2019_report.pdf
Standard Audit Period End Date: 2019-05-24
BR Audit: https://eidas.disig.sk/pdf/Audit2019_report.pdf
BR Audit Period End Date: 2019-05-24
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Chunghwa Telecom
Root Certificates:
   Chunghwa Telecom Co., Ltd. - ePKI Root Certification Authority
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232565

Standard Audit Period End Date: 2019-05-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232566

BR Audit Period End Date: 2019-05-31
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: Sectigo
Root Certificates:
   COMODO RSA Certification Authority**
   USERTrust ECC Certification Authority**
   AAA Certificate Services**
   COMODO Certification Authority**
   COMODO ECC Certification Authority**
   USERTrust RSA Certification Authority**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://bug1472993.bmoattachments.org/attachment.cgi?id=9078178

Standard Audit Period End Date: 2019-03-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231163

BR Audit Period End Date: 2019-03-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231164

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: GlobalSign
Root Certificates:
   GlobalSign**
   GlobalSign**
   GlobalSign**
   GlobalSign Root CA**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231566

Standard Audit Period End Date: 2019-03-31
BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=9112465
BR Audit Period End Date: 2019-03-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231568

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Spain, Autoritat de Certificació de la Comunitat 
Valenciana (ACCV)

Root Certificates:
   ACCVRAIZ1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232656

Standard Audit Period End Date: 2019-04-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232657

BR Audit Period End Date: 2019-04-30
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: Government of Taiwan, Government Root Certification Authority 
(GRCA)

Root Certificates:
   Government Root Certification Authority - Taiwan**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_XCA_WTCA_Audit_Report_2019.pdf

Standard Audit Period End Date: 2019-03-31
BR Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_BR_Audit_Report_2019.pdf

BR Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Izenpe S.A.
Root Certificates:
   Izenpe.com
Standard Audit: 
http://lsti-certification.fr/images/LSTI_Audit_Atttestation_Letter_1652-127_V21_S_copie.pdf

Standard Audit Period End Date: 2019-05-24
BR Audit: 
http://lsti-certification.fr/images/LSTI_Audit_Atttestation_Letter_1652-127_V21_S_copie.pdf

BR Audit Period End Date: 2019-05-24
EV Audit: 

Re: CCADB Update to Salesforce Lightning Interface

[Kathleen Wilson via dev-security-policy]

On Thursday, December 3, we intend to migrate CCADB to Salesforce’s 
newer interface, called Lightning.


Here is a document explaining the changes:

https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing 



The CCADB update to the newer Lightning interface is in progress. You 
may use CCADB during this update, but if you run into problems please 
try again later.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CCADB Update to Salesforce Lightning Interface

[Kathleen Wilson via dev-security-policy]

On 12/3/20 10:30 AM, Kathleen Wilson wrote:
On Thursday, December 3, we intend to migrate CCADB to Salesforce’s 
newer interface, called Lightning.


Here is a document explaining the changes:

https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing 




The CCADB has been updated to the newer Lightning interface, and the 
instructions (https://www.ccadb.org/cas/) have been updated to match.
Please let me know if you run into any problems using the new CCADB 
interface.


Next week I plan to provide a new video showing how to create an Audit 
Case via the new CCADB interface.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of December 2020 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 1 Dec 2020 15:00:43 + (GMT)

CA Owner: Government of The Netherlands, PKIoverheid (Logius)
   - Certificate Name: UZI-register Medewerker niet op naam CA G3
SHA-256 Fingerprint: 
972957304031234ED17679FDCB97556D6173D5F2BF0E6E66D612680CA6E77685

Standard Audit Period End Date (mm/dd/): 08/31/2019

   - Certificate Name: UZI-register Medewerker op naam CA G3
SHA-256 Fingerprint: 
D28DB435E31212A3BDCCF87620F6544B99A9C02328BF983E882FD0627A1D130F

Standard Audit Period End Date (mm/dd/): 08/31/2019

   - Certificate Name: UZI-register Zorgverlener CA G3
SHA-256 Fingerprint: 
507DB60D263D3D09D283DE2E3AA435DFD8775E52BC335702E3832BBB57EC1CBD

Standard Audit Period End Date (mm/dd/): 08/31/2019

   - Certificate Name: UZI-register Medewerker op naam CA G3
SHA-256 Fingerprint: 
D8553A2880E96B7AA4C7413DD903AFD3D580504695DD26A168FD48CCE7B1474A

Standard Audit Period End Date (mm/dd/): 08/31/2019

   - Certificate Name: UZI-register Zorgverlener CA G3
SHA-256 Fingerprint: 
3EAD4F72F06F1054881D2728DE033A8E13FADE6BD165084018EB943C17378DAA

Standard Audit Period End Date (mm/dd/): 08/31/2019

   - Certificate Name: UZI-register Medewerker niet op naam CA G3
SHA-256 Fingerprint: 
38DED3FF6827579008AF4887EB9698A3CFA927FA8ED59F06BA090FB9A63E2D77

Standard Audit Period End Date (mm/dd/): 08/31/2019



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Announcing the Chrome Root Program

[Kathleen Wilson via dev-security-policy]

Thank you, Ryan, for providing this very helpful information.



## What does this mean for the CA Certificates Module?

Since 2015, I’ve been a Module Peer of the CA Certificates Module [1]. My
role has been to support Kathleen and Ben, and previously also Wayne and
Gerv, in performing detailed CP/CPS reviews, reviewing and responding to CA
incidents and reports, and working to collect and produce data to help
better inform the decisions of the Module Owner around adding and removing
CAs. 



I have greatly appreciated all of your support and efforts in this area.




However, the CA Certificates Module is also one of the small subset of
Modules that focuses on technical and policy direction for the product as a
whole. This has caused some confusion for folks that may not have much
experience with approaches to governance used by open source projects, and
who believe the Module Owners and Peers are absolute. Although this is not
the case, to avoid any confusion, I’ll be stepping down as Module Peer.



Understood. I will update the Peers list.



Although I’m stepping down from the title of Module Peer, there is no
functional change expected. I’ll be continuing in the same activities and
with the same goal of ensuring technical interoperability and user
security: helping examine incident reports, review CA information, and
making recommendations on how to balance the many complexities involved in
ensuring user security while minimizing compatibility issues, for users and
across browsers. 



So glad to hear that!




## What does this mean for CAs not yet in Mozilla’s program?

One area of possible divergence, however, is called out in how we’ve
prioritized inclusion requests within the Chrome Root Store. Our priority
is user security, and thus rather than operating on a “first come, first
serve” basis, we’ve captured a number of principles that we believe help
prioritize those user security interests. For example, existing CAs that
are replacing older roots with newer, modern hierarchies, greatly benefits
users, because it removes trust in the old hierarchy that may have had
incidents and misissuance, and thus risk to users, and moves to a new
hierarchy that is free of incidents. This is particularly important when
also considering that the Chrome Root Store prioritizes “single purpose”
hierarchies; that is, CA certificates which only ever issue a single type
of certificate, whether it be TLS or S/MIME or, looking broader, DV vs EV.



Perhaps it is time for Mozilla to update our approach too. Rather than 
operating on the "first come, first serve" basis, it makes sense to 
prioritize inclusion of root certificates that will improve security for 
users. Ben and I will discuss this, and propose something here in m.s.d.p.




Further diverging from Mozilla, we have prioritized attestation and
assurance engagements based on international standards, such as ISAE 3000
like those from WebTrust, over compliance-based engagements intended for
particular schemes, such as those from ETSI, due to the greater
transparency and accountability provided by those audits. The Chrome Root
Store will still continue to accept ETSI audits on a case-by-case basis,
but our priority will be towards audits that help us build a fuller picture
of the CA, its operations, and controls, such as provided by WebTrust.



Indeed, Mozilla does not currently have plans to change our policy in 
regards to ETSI audits. We would like to work with ETSI folks to try to 
resolve the concerns.




We
believe there’s a shared value in transparency, and that avoiding
fragmentation is beneficial. Even if Mozilla is not yet prepared to include
the CA, having the discussion for the Chrome Root Store easily available
helps improve the security for Mozilla users.



Agreed.


Thanks!

Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

CCADB Update to Salesforce Lightning Interface

[Kathleen Wilson via dev-security-policy]

CAs,

On Thursday, December 3, we intend to migrate CCADB to Salesforce’s 
newer interface, called Lightning.


Here is a document explaining the changes:

https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of December 2020 Audit Reminder Emails
Date: Tue, 15 Dec 2020 20:00:28 + (GMT)

Mozilla: Audit Reminder
CA Owner: DigiCert
Root Certificates:
   Symantec Class 2 Public Primary Certification Authority - G6
   Symantec Class 1 Public Primary Certification Authority - G6
   VeriSign Universal Root Certification Authority
   Baltimore CyberTrust Root
   Cybertrust Global Root
   DigiCert Assured ID Root CA
   DigiCert Assured ID Root G2
   GeoTrust Primary Certification Authority - G2
   DigiCert Trusted Root G4
   DigiCert Assured ID Root G3
   VeriSign Class 1 Public Primary Certification Authority - G3
   VeriSign Class 2 Public Primary Certification Authority - G3
Standard Audit: 
https://bug1458024.bmoattachments.org/attachment.cgi?id=9123453

Standard Audit Period End Date: 2019-10-31
Standard Audit: 
https://bug1458024.bmoattachments.org/attachment.cgi?id=9123443

Standard Audit Period End Date: 2019-10-31
Standard Audit: 
https://bug1458024.bmoattachments.org/attachment.cgi?id=9123448

Standard Audit Period End Date: 2019-10-31
BR Audit:
BR Audit Period End Date:
BR Audit: https://bug1458024.bmoattachments.org/attachment.cgi?id=9123452
BR Audit Period End Date: 2019-10-31
BR Audit: https://bug1458024.bmoattachments.org/attachment.cgi?id=9123442
BR Audit Period End Date: 2019-10-31
BR Audit: https://bug1458024.bmoattachments.org/attachment.cgi?id=9123447
BR Audit Period End Date: 2019-10-31
EV Audit:
EV Audit Period End Date:
EV Audit: https://bug1458024.bmoattachments.org/attachment.cgi?id=9123454
EV Audit Period End Date: 2019-10-31
EV Audit: https://bug1458024.bmoattachments.org/attachment.cgi?id=9123445
EV Audit Period End Date: 2019-10-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: D-TRUST
Root Certificates:
   D-TRUST Root CA 3 2013**
   D-TRUST Root Class 3 CA 2 2009**
   D-TRUST Root Class 3 CA 2 EV 2009**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120301_D-TRUST_Root_CA3_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120302_D-TRUST_Root_Class_3_CA_2_2009_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
BR Audit:
BR Audit Period End Date:
BR Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120302_D-TRUST_Root_Class_3_CA_2_2009_V1.0_s.pdf

BR Audit Period End Date: 2019-10-07
BR Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

BR Audit Period End Date: 2019-10-07
EV Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

EV Audit Period End Date: 2019-10-07
CA Comments: null



Mozilla: Audit Reminder
CA Owner: SwissSign AG
Root Certificates:
   SwissSign Gold CA - G2**
   SwissSign Platinum CA - G2**
   SwissSign Silver CA - G2**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

Standard Audit Period End Date: 2019-10-02
Standard Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121901_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2.pdf

Standard Audit Period End Date: 2019-09-27
Standard Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121903_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf

Standard Audit Period End Date: 2019-09-27
BR Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

BR Audit Period End Date: 2019-10-02
BR Audit:
BR Audit Period End Date:
BR Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121903_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf

BR Audit Period End Date: 2019-09-27
EV Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

EV Audit Period End Date: 2019-10-02
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Buypass
Root Certificates:
   Buypass Class 2 Root CA
   Buypass Class 3 Root CA
Standard Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

Standard Audit Period End Date: 2019-10-31
BR Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

BR Audit Period End Date: 2019-10-31
EV Audit: 

Re: CCADB Update to Salesforce Lightning Interface

[Kathleen Wilson via dev-security-policy]

All,

The new video about how to create an Audit Case in the CCADB is 
available here:

https://www.ccadb.org/cas/updates#instructions

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

2H2020 Symantec Root Updates

[Kathleen Wilson via dev-security-policy]

All,

Continuing with the distrust of the old Symantec root certificates, 10 
root certificates were removed via bug 1670769 from NSS 3.60 and Firefox 
85.


1. GeoTrust Global CA
2. GeoTrust Primary Certification Authority
3. GeoTrust Primary Certification Authority - G3
4. thawte Primary Root CA
5. thawte Primary Root CA - G3
6. VeriSign Class 3 Public Primary Certification Authority - G4
7. VeriSign Class 3 Public Primary Certification Authority - G5
8. thawte Primary Root CA - G2
9. GeoTrust Universal CA
10. GeoTrust Universal CA 2

I also added this information to
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

[Kathleen Wilson via dev-security-policy]

PS: In the meantime, we will continue to verify auditor qualifications 
as described here:

https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications


On 11/12/20 4:27 PM, Kathleen Wilson wrote:

 > It is proposed in Issue #192
 >  that information about
 > individual auditor's qualifications be provided--identity, competence,
 > experience and independence. (For those interested as to this 
independence

 > requirement, Mozilla Policy v.1.0 required either disclosure of the
 > auditor's compensation or the establishment that the auditor "is 
bound by
 > law, government regulation, and/or a professional code of ethics to 
render

 > an honest and objective judgement regarding the CA.")


I am very much in favor of increasing transparency about the 
qualifications of the auditors providing audit statements for CAs in our 
program. However, I think that we need to spend more time figuring out a 
few things before adding such a requirement to our policy. Therefore, I 
think we should add this to our list of things to spend some focused 
time to figure out in early 2021, and move this item to the next version 
of Mozilla’s root store policy.


Below are some of the questions we need to be able to answer before 
adding this requirement to Mozilla's root store policy.


Please do NOT respond to these questions now. We will have future 
discussions about this when we are ready.


- What information is needed and in what format to demonstrate each 
individual auditor's qualifications?
- What are the criteria to be considered and what is sufficient to be 
considered a qualified auditor?

- How do auditors apply to be considered qualified auditors?
- How can new participants become involved in this space and become 
qualified auditors?

- What is the process to determine if an auditor is qualified?
- Does every auditor signing their name or listed in an audit statement 
need to be verified as a qualified auditor? Or just the lead auditor?
- How are the qualifications of the auditors communicated in conjunction 
with the audit statement(s)?

- Who is responsible for verifying auditor qualifications?
- Who is responsible for maintaining the list of known qualified auditors?
- How do CAs find out if their auditors are qualified?

I look forward to having these discussions in full later, but I think 
this effort is too large in scope for version 2.7.1 of Mozilla's Root 
Store Policy.


Thanks,
Kathleen



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

[Kathleen Wilson via dev-security-policy]

> It is proposed in Issue #192
>  that information about
> individual auditor's qualifications be provided--identity, competence,
> experience and independence. (For those interested as to this 
independence

> requirement, Mozilla Policy v.1.0 required either disclosure of the
> auditor's compensation or the establishment that the auditor "is bound by
> law, government regulation, and/or a professional code of ethics to 
render

> an honest and objective judgement regarding the CA.")


I am very much in favor of increasing transparency about the 
qualifications of the auditors providing audit statements for CAs in our 
program. However, I think that we need to spend more time figuring out a 
few things before adding such a requirement to our policy. Therefore, I 
think we should add this to our list of things to spend some focused 
time to figure out in early 2021, and move this item to the next version 
of Mozilla’s root store policy.


Below are some of the questions we need to be able to answer before 
adding this requirement to Mozilla's root store policy.


Please do NOT respond to these questions now. We will have future 
discussions about this when we are ready.


- What information is needed and in what format to demonstrate each 
individual auditor's qualifications?
- What are the criteria to be considered and what is sufficient to be 
considered a qualified auditor?

- How do auditors apply to be considered qualified auditors?
- How can new participants become involved in this space and become 
qualified auditors?

- What is the process to determine if an auditor is qualified?
- Does every auditor signing their name or listed in an audit statement 
need to be verified as a qualified auditor? Or just the lead auditor?
- How are the qualifications of the auditors communicated in conjunction 
with the audit statement(s)?

- Who is responsible for verifying auditor qualifications?
- Who is responsible for maintaining the list of known qualified auditors?
- How do CAs find out if their auditors are qualified?

I look forward to having these discussions in full later, but I think 
this effort is too large in scope for version 2.7.1 of Mozilla's Root 
Store Policy.


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

[Kathleen Wilson via dev-security-policy]

On 11/13/20 1:43 PM, Ryan Sleevi wrote:

In this regard, the principles from Mozilla's 1.0 Certificate Policy
provide a small minimum, along with some of the language from, say, the
FPKI, regarding technical competencies. The basis here is simply for the
auditor to *disclose* why they believe they meet the criteria or objectives
set. This avoids the need to address part of your questions (e.g. "How do
auditors apply to be considered qualified auditors"), because it leaves the
current policies and presumptions in place, but introduces the disclosure
requirement for why the auditor is relevant and reliable for the report.



I think it is reasonable to update section 3.2 of Mozilla's Root Store 
Policy in v2.7.1 to re-add information that appears to have been lost 
during the efforts to remove duplication with the BRs. And we could 
consider adding some incremental changes to improve transparency and 
clarify expectations regarding auditor experience.


For example, we could begin by updating section 3.2 to the following, 
which is a combination of the versions 2.7 and 2.4.1 
(https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md) of 
Mozilla's Root Store Policy. And then see if there are incremental 
updates to this that will improve transparency while keeping the audit 
statements that we add to the CCADB as fully public-facing documents.


===

3.2 Auditors

Mozilla requires that audits MUST be performed by a competent, 
independent, qualified party.


The burden is on the CA to prove that it has met the below requirements. 
However the CA MAY request a preliminary determination from us regarding 
the acceptability of the criteria and/or the competent, independent, 
qualified party or parties by which it proposes to meet the requirements 
of this policy.


By "competent party" we mean a person or other entity who is authorized 
to perform audits according to the stated criteria (e.g., by the 
organization responsible for the criteria or by a relevant government 
agency) or for whom there is sufficient public information available to 
determine that the party is competent to judge the CA’s conformance to 
the stated criteria. In the latter case the "public information" 
referred to SHOULD include information regarding the party’s:
- knowledge of CA-related technical issues such as public key 
cryptography and related standards;
- experience in performing security-related audits, evaluations, or risk 
analyses; and

- honesty and objectivity.

By "independent party" we mean a person or other entity who is not 
affiliated with the CA as an employee or director and for whom at least 
one of the following statements is true:

- the party is not financially compensated by the CA;
- the nature and amount of the party’s financial compensation by the CA 
is publicly disclosed; or
- the party is bound by law, government regulation, and/or a 
professional code of ethics to render an honest and objective judgement 
regarding the CA.


By "qualified party" we mean a person or other entity who meets the 
requirements of section 8.2 of the Baseline Requirements. If a CA wishes 
to use auditors who do not fit the definition in section 8.2 of the 
Baseline Requirements, they MUST receive written permission from Mozilla 
to do so in advance of the start of the audit engagement. Mozilla will 
make its own determination as to the suitability of the suggested party 
or parties, at its sole discretion.


==

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of November 2020 Audit Reminder Emails
Date: Tue, 17 Nov 2020 20:01:50 + (GMT)

Mozilla: Audit Reminder
CA Owner: Google Trust Services LLC (GTS)
Root Certificates:
   GTS Root R2
   GTS Root R3
   GTS Root R4
   GTS Root R1
   GlobalSign
   GlobalSign
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=236832

Standard Audit Period End Date: 2019-09-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=236833

BR Audit Period End Date: 2019-09-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: D-TRUST
Root Certificates:
   D-TRUST Root CA 3 2013
   D-TRUST Root Class 3 CA 2 2009
   D-TRUST Root Class 3 CA 2 EV 2009
Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120301_D-TRUST_Root_CA3_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120302_D-TRUST_Root_Class_3_CA_2_2009_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
Standard Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

Standard Audit Period End Date: 2019-10-07
BR Audit:
BR Audit Period End Date:
BR Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120302_D-TRUST_Root_Class_3_CA_2_2009_V1.0_s.pdf

BR Audit Period End Date: 2019-10-07
BR Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

BR Audit Period End Date: 2019-10-07
EV Audit: 
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2019120303_D-TRUST_Root_Class3_CA2_EV_V1.0_s.pdf

EV Audit Period End Date: 2019-10-07
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: E-Tugra
Root Certificates:
   E-Tugra Certification Authority
Standard Audit: 
https://lsti-certification.fr/images/LSTI_1646_135_AL-V10_E-Tugra.pdf

Standard Audit Period End Date: 2019-07-26
BR Audit: 
https://lsti-certification.fr/images/LSTI_1646_135_AL-V10_E-Tugra.pdf

BR Audit Period End Date: 2019-07-26
EV Audit: 
https://lsti-certification.fr/images/LSTI_1646_135_AL-V10_E-Tugra.pdf

EV Audit Period End Date: 2019-07-26

CA Comments:  https://bugzilla.mozilla.org/show_bug.cgi?id=1659426 -- 
audit delay due to Covid19.




Mozilla: Audit Reminder
CA Owner: SwissSign AG
Root Certificates:
   SwissSign Gold CA - G2
   SwissSign Platinum CA - G2
   SwissSign Silver CA - G2
Standard Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

Standard Audit Period End Date: 2019-10-02
Standard Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121901_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2.pdf

Standard Audit Period End Date: 2019-09-27
Standard Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121903_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf

Standard Audit Period End Date: 2019-09-27
BR Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

BR Audit Period End Date: 2019-10-02
BR Audit:
BR Audit Period End Date:
BR Audit: 
https://it-tuv.com/wp-content/uploads/2020/01/AA2019121903_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf

BR Audit Period End Date: 2019-09-27
EV Audit: 
https://it-tuv.com/wp-content/uploads/2019/12/AA2019121902_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf

EV Audit Period End Date: 2019-10-02
CA Comments: null



Mozilla: Audit Reminder
CA Owner: SecureTrust
Root Certificates:
   Secure Global CA
   SecureTrust CA
   Trustwave Global ECC P256 Certification Authority
   Trustwave Global Certification Authority
   Trustwave Global ECC P384 Certification Authority
   XRamp Global Certification Authority
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=237400

Standard Audit Period End Date: 2019-09-30
BR Audit: 
https://certs.securetrust.com/CA/2%20-%20SecureTrust%202019%20SSL%20BL%20Report.pdf

BR Audit Period End Date: 2019-09-30
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=237401

EV Audit Period End Date: 2019-09-30
CA Comments: Changed CA Name from Trustwave to SecureTrust on February 
1, 2019.





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CCADB Proposal: Add field called Full CRL Issued By This CA

[Kathleen Wilson via dev-security-policy]

All,

The following changes have been made in the CCADB:

On Intermediate Cert pages:
- Renamed section heading ‘Revocation Information’ to ‘Revocation 
Information for this Certificate’

- Added section called ‘Pertaining to Certificates Issued by this CA’
- Added 'Full CRL Issued By This CA' field to this new section.
Note: CAs modify this field directly on intermediate cert pages.

On Root Cert pages:
- Added section called ‘Pertaining to Certificates Issued by this CA’
- Added 'Full CRL Issued By This CA' field to this new section.
Note: Only root store operators may directly update root cert pages, so 
send email to your root store operator if you would like a URL added to 
this new field for a root cert.



Coming soon:
Add 'Full CRL Issued By This CA' column to report:
http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

[Kathleen Wilson via dev-security-policy]

>> For this MRSP Issue #152 update to v2.7.1, I propose that we make each
>> occurrence of "capable of issuing EV certificates" link to
>> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable


In the definition of EV TLS Capable, I'd move the last bullet up to the top.



Done. Thanks!


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of November 2020 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 3 Nov 2020 15:00:07 + (GMT)


CA Owner: AC Camerfirma, S.A.
   - Certificate Name: MULTICERT SSL Certification Authority 001
SHA-256 Fingerprint: 
06A57D1CD5879FBA2135610DD8D725CC268D2A6DE8A463D424C4B9DA89848696

Standard Audit Period End Date (mm/dd/): 07/18/2019
BR Audit Period End Date (mm/dd/): 07/18/2019

   - Certificate Name: DigitalSign Primary CA
SHA-256 Fingerprint: 
8101C3BAF9D0EDD71180D1F37D6D75B77B0E8CFB593D342C3A31E467985D4A74

Standard Audit Period End Date (mm/dd/): 07/22/2019
BR Audit Period End Date (mm/dd/): 07/22/2019



CA Owner: QuoVadis
   - Certificate Name: DigitalSign Qualified CA - G4
SHA-256 Fingerprint: 
41678B8897E635DEA03B6E48565E267BA5AAC3B8F4DC4B74B7A0A9748CFDD35E

Standard Audit Period End Date (mm/dd/): 07/22/2019





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

[Kathleen Wilson via dev-security-policy]

On 10/16/20 11:26 PM, Ryan Sleevi wrote:

Because of this, it seems that there is a simpler, clearer, unambiguous
path for CAs that seems useful to move to:
- If a CA is trusted for purpose X, that certificate, and all subordinate
CAs, should be audited against the criteria relevant for X



I am in favor of this approach for a future version of Mozilla's Root 
Store Policy, but I prefer not to try to tackle it in this v2.7.1 
update.  So I filed a github issue to remind us to consider this in the 
next version:


https://github.com/mozilla/pkipolicy/issues/220


I have added a section called "EV TLS Capable" to the wiki pages, and I 
will appreciate feedback on it:


https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable

For this MRSP Issue #152 update to v2.7.1, I propose that we make each 
occurrence of "capable of issuing EV certificates" link to 
https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of January 2021 Audit Reminder Emails
Date: Tue, 19 Jan 2021 20:00:30 + (GMT)

Mozilla: Audit Reminder
CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR)
Root Certificates:
   SZAFIR ROOT CA2
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238854

Standard Audit Period End Date: 2019-12-18
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238855

BR Audit Period End Date: 2019-12-18
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Hong Kong (SAR), Hongkong Post, Certizen
Root Certificates:
   Hongkong Post Root CA 3
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238797

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238798

BR Audit Period End Date: 2019-12-31
EV Audit: https://www.ecert.gov.hk/ev/Webtrust_EVSSL_2019.pdf
EV Audit Period End Date: 2019-11-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Buypass
Root Certificates:
   Buypass Class 2 Root CA**
   Buypass Class 3 Root CA**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

Standard Audit Period End Date: 2019-10-31
BR Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

BR Audit Period End Date: 2019-10-31
EV Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

EV Audit Period End Date: 2019-10-31
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: Dhimyotis / Certigna
Root Certificates:
   Certigna Root CA**
   Certigna**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://lsti-certification.fr/images/23_1377_AT_V10__LSTI_-_Attestation_letter_2020.pdf

Standard Audit Period End Date: 2019-10-18
BR Audit: 
https://lsti-certification.fr/images/23_1377_AT_V10__LSTI_-_Attestation_letter_2020.pdf

BR Audit Period End Date: 2019-10-18
CA Comments: null




___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Action on Camerfirma Root CAs

[Kathleen Wilson via dev-security-policy]

I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1692094 to turn off 
the Websites trust bit for the 2008 root certs, and to set the "Distrust 
for S/MIME After Date" for the older root certs.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of February 2021 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 2 Feb 2021 15:00:16 + (GMT)


CA Owner: SECOM Trust Systems CO., LTD.
   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
90EE548EBACACAB40207A61A378CE186B94D24AE7C55BFC83065EA96072E2B38

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
11A27671872265445CB7258EB2844EE614D14777B9F6F73BE9532122F21FAD0D

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
04C1871C68607515389FA3B0CFB83DBE6A4AF05E8C80E745702969F240606E36

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
927E9BFC0D75C3146070C3F3AFDD4A2C10F765289124997CC52CFD1209E763CB

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
21C066332D6B92DD9A253E2637684A5BC3E31357F863BED7A2F98C8459A33B62

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
659B7A518C6C9EB18AA1EB35AEBA7A0247817B898C1FA1840F97D2877D9A20E4

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019





CA Owner: Amazon Trust Services
   - Certificate Name: Amazon
SHA-256 Fingerprint: 
F55F9FFCB83C73453261601C7E044DB15A0F034B93C05830F28635EF889CF670

Standard Audit Period End Date (mm/dd/): 10/31/2019
BR Audit Period End Date (mm/dd/): 10/31/2019

   - Certificate Name: Amazon
SHA-256 Fingerprint: 
4A1FF6BBF481170D3B773CEC1F3A84DE3B5096575CDBF8B08432209318CA0FBD

Standard Audit Period End Date (mm/dd/): 10/31/2019
BR Audit Period End Date (mm/dd/): 10/31/2019






___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

CCADB Update: Extended ALV to EV SSL Audits on Intermediate Certs

[Kathleen Wilson via dev-security-policy]

CAs,

There are a couple updates to the CCADB that I would like to bring to 
your attention.


1) Added 'CCADB Release Notes' link to the CA home page.
It links to:
https://docs.google.com/document/d/1yMLYQFNH2JnOixVsByC99uoQd8fFfZcKlKBu-vgy3CU/edit#heading=h.6p4mru6ujyvl


2) Extended automated Audit Letter Validation (ALV) to EV SSL audits for 
intermediate certificates.
- Added ‘EV SSL Capable’ checkbox to the bottom of the ‘Certificate 
Data’ section on intermediate certificate records. 
[https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable]
- Added CA home page Task list item called ‘Intermediate Certs with 
Failed ALV Results for EV SSL’.
-- When it is non-zero, click on the ">" next to ‘Check failed Audit 
Letter Validation (ALV) results for EV SSL’, which is below the Summary 
section. Then click on the link in the 'Certificate Name' column.


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: New intermediate certs and Audit Statements

[Kathleen Wilson via dev-security-policy]

On 3/24/21 5:32 AM, Rob Stradling wrote:

On 9th July 2019, Kathleen wrote:

I propose that to handle this situation, the CA may enter the

subordinate CA's current audit statements and use the Public Comment
field to indicate that the new certificate will be included in the next
audit statements.

Hi Kathleen.  CCADB now automatically shows the following message (when 
relevant) in red text at the top of each intermediate certificate page:

 "This certificate was created after the audit period of the current audit 
statement, so please make sure to include it in the CA's next periodic audit 
statement."

Do you still expect CAs to "use the Public Comment field to indicate that the new 
certificate will be included in the next audit statements"?
Or may we stop doing that now?

Thanks.



Rob, Thanks for bringing this up. I agree that it is not necessary to 
use the Public Comment field to indicate that the new certificate will 
be included in the next audit statements. CAs may stop doing that.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

[Kathleen Wilson via dev-security-policy]

All,

This mozilla.dev.security.policy mailing list has been running on 
ancient custom-patched mailman software since the early Mozilla days. As 
many of you are aware, there are limitations and sometimes loss of data 
with the old configuration, so we are migrating this list to be hosted 
as a well-supported email-based Google Group under Mozilla's Google 
Workspace (formerly GSuite) account.


Currently this forum is accessed as follows:
  - Mailing List: dev-security-policy@lists.mozilla.org
  - Newsgroup: mozilla.dev.security.policy
  - Web: https://groups.google.com/g/mozilla.dev.security.policy
This list will be archived and changed to read-only on April 3, after 
which we will continue our conversations in the new list.


After the move, the access points will change to:
  - Mailing List: dev-security-pol...@mozilla.org
   -- dev-security-policy@lists.mozilla.org will automatically forward 
to the new mailing list

  - Group Name: dev-security-policy
  - Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Note: Newsgroup access is deprecated and will no longer be an access point.

In the next week we will pre-populate the new group’s members list with 
the active users who subscribed to mozilla.dev.security.policy via 
lists.mozilla.org, and you will begin to receive email from the new 
dev-security-policy group as soon as messages are posted to it. You will 
then be able to update your user settings and frequency of email 
messages via groups.google.com, or you can send an email to me and Ben 
to request that we update your settings in this new group.


For mozilla.dev.security.policy we do not have visibility into 
subscribers from NNTP or Google Groups, so if you do not receive 
notifications from the new group, you may subscribe by sending email to 
dev-security-policy+subscr...@mozilla.org or to me or Ben. This new 
group, dev-security-policy, is also public-facing via the web interface 
so you only need to subscribe to the new group if you intend to post 
messages or if you want to receive group conversations via email.


I will post another message here in mozilla.dev.security.policy when the 
new group is ready to use. At that point, we will archive this 
mozilla.dev.security.policy group such that no one will be able to post 
to this old group. Google has stated that data in this old group and the 
URLs to messages within this old group will remain as-is. From then on 
messages sent to dev-security-policy@lists.mozilla.org will be 
automatically forwarded to dev-security-pol...@mozilla.org.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

CCADB Update to Audit and Root Inclusion Cases March 25-29

[Kathleen Wilson via dev-security-policy]

All,

We will be applying updates to CCADB Audit Cases and Root Inclusion 
Cases starting tonight, March 25, and expected to be completed the 
afternoon of March 29.


We will post the following message on the CCADB home page while the 
updates are in progress.


--
UNDER CONSTRUCTION: Audit Cases and Root Inclusion Cases are being 
updated March 25 to March 29. Please avoid using them until this update 
had been completed. This message will be removed when the changes are done.

--

The goal of these updates is to extend Root Inclusion Cases to be usable 
by other root stores. After this update, both Apple and Mozilla will be 
able to use Root Inclusion Cases. There is a significant amount of code 
that is common to Audit Cases and Root Inclusion Cases, so Audit Cases 
will also be impacted during the update.


Please let me know if you have any questions about this, or run into 
other problems in the CCADB.


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CCADB Update to Audit and Root Inclusion Cases March 25-29

[Kathleen Wilson via dev-security-policy]

All,

The CCADB update has been completed, and the "UNDER CONSTRUCTION" notice 
will be removed today.


There is still some cleanup that we will be doing, but you may proceed 
with using Audit Cases and Root Inclusion Cases now.


Please let me know if you run into any problems with the CCADB.

Thanks,
Kathleen


On 3/25/21 11:22 AM, Kathleen Wilson wrote:

All,

We will be applying updates to CCADB Audit Cases and Root Inclusion 
Cases starting tonight, March 25, and expected to be completed the 
afternoon of March 29.


We will post the following message on the CCADB home page while the 
updates are in progress.


--
UNDER CONSTRUCTION: Audit Cases and Root Inclusion Cases are being 
updated March 25 to March 29. Please avoid using them until this update 
had been completed. This message will be removed when the changes are done.

--

The goal of these updates is to extend Root Inclusion Cases to be usable 
by other root stores. After this update, both Apple and Mozilla will be 
able to use Root Inclusion Cases. There is a significant amount of code 
that is common to Audit Cases and Root Inclusion Cases, so Audit Cases 
will also be impacted during the update.


Please let me know if you have any questions about this, or run into 
other problems in the CCADB.


Thanks,
Kathleen



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

[Kathleen Wilson via dev-security-policy]

All,

I posted the first message to the new group, with subject "WELCOME to 
dev-security-policy".


If you do not receive the welcome message to the new group, you can 
subscribe to it by sending an email to 
dev-security-policy+subscr...@mozilla.org or to me or Ben.


You can update your user settings and frequency of email messages via 
groups.google.com, or you can send an email to me and Ben to request 
that we update your settings in this new group.


Thanks,
Kathleen


On 3/25/21 9:55 AM, Kathleen Wilson wrote:

All,

This mozilla.dev.security.policy mailing list has been running on 
ancient custom-patched mailman software since the early Mozilla days. As 
many of you are aware, there are limitations and sometimes loss of data 
with the old configuration, so we are migrating this list to be hosted 
as a well-supported email-based Google Group under Mozilla's Google 
Workspace (formerly GSuite) account.


Currently this forum is accessed as follows:
  - Mailing List: dev-security-policy@lists.mozilla.org
  - Newsgroup: mozilla.dev.security.policy
  - Web: https://groups.google.com/g/mozilla.dev.security.policy
This list will be archived and changed to read-only on April 3, after 
which we will continue our conversations in the new list.


After the move, the access points will change to:
  - Mailing List: dev-security-pol...@mozilla.org
   -- dev-security-policy@lists.mozilla.org will automatically forward 
to the new mailing list

  - Group Name: dev-security-policy
  - Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Note: Newsgroup access is deprecated and will no longer be an access point.

In the next week we will pre-populate the new group’s members list with 
the active users who subscribed to mozilla.dev.security.policy via 
lists.mozilla.org, and you will begin to receive email from the new 
dev-security-policy group as soon as messages are posted to it. You will 
then be able to update your user settings and frequency of email 
messages via groups.google.com, or you can send an email to me and Ben 
to request that we update your settings in this new group.


For mozilla.dev.security.policy we do not have visibility into 
subscribers from NNTP or Google Groups, so if you do not receive 
notifications from the new group, you may subscribe by sending email to 
dev-security-policy+subscr...@mozilla.org or to me or Ben. This new 
group, dev-security-policy, is also public-facing via the web interface 
so you only need to subscribe to the new group if you intend to post 
messages or if you want to receive group conversations via email.


I will post another message here in mozilla.dev.security.policy when the 
new group is ready to use. At that point, we will archive this 
mozilla.dev.security.policy group such that no one will be able to post 
to this old group. Google has stated that data in this old group and the 
URLs to messages within this old group will remain as-is. From then on 
messages sent to dev-security-policy@lists.mozilla.org will be 
automatically forwarded to dev-security-pol...@mozilla.org.


Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

MOVED mozilla.dev.security.policy to dev-security-policy

[Kathleen Wilson via dev-security-policy]

All,

This mozilla.dev.security.policy group has been moved to 
dev-security-policy in Mozilla’s Google Workspace (formerly GSuite).


New Access Points:
- Mailing List: dev-security-pol...@mozilla.org
   -- dev-security-policy@lists.mozilla.org will automatically forward 
to the new mailing list

- Group Name: dev-security-policy
- Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Note: Newsgroup access is deprecated and will no longer be an access point.

This mozilla.dev.security.policy group is being archived and no more 
posts will be accepted in this old group. Google has stated that data in 
this old group and the URLs to messages within this old group will 
remain as-is. Messages sent to dev-security-policy@lists.mozilla.org 
will be automatically forwarded to dev-security-pol...@mozilla.org.


We pre-populated the new group’s members list with the active users who 
subscribed to mozilla.dev.security.policy via lists.mozilla.org. If you 
have already been added to the new group as a member, then you should 
have received a message from the group. You can update your user 
settings and frequency of email messages via groups.google.com, or send 
an email to me and Ben.


If you have not received a message from the new dev-security-policy 
group, you may request to subscribe to the group by sending an email to 
dev-security-policy+subscr...@mozilla.org or to me or Ben. This new 
group is also public-facing via the web interface, so you only need to 
join the group if you intend to post messages or if you want to receive 
group conversations via email.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of March 2021 Audit Reminder Emails
Date: Tue, 16 Mar 2021 19:02:12 + (GMT)

Mozilla: Audit Reminder
CA Owner: certSIGN
Root Certificates:
   certSIGN ROOT CA
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239757

Standard Audit Period End Date: 2020-02-07
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239758

BR Audit Period End Date: 2020-02-07
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR)
Root Certificates:
   SZAFIR ROOT CA2
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238854

Standard Audit Period End Date: 2019-12-18
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238855

BR Audit Period End Date: 2019-12-18
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Hong Kong (SAR), Hongkong Post, Certizen
Root Certificates:
   Hongkong Post Root CA 3**
   Hongkong Post Root CA 1**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238797

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238798

BR Audit Period End Date: 2019-12-31
EV Audit: https://www.ecert.gov.hk/ev/Webtrust_EVSSL_2019.pdf
EV Audit Period End Date: 2019-11-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: QuoVadis
Root Certificates:
   QuoVadis Root CA 1 G3
   QuoVadis Root CA 2
   QuoVadis Root CA 2 G3
   QuoVadis Root CA 3
   QuoVadis Root CA 3 G3
   QuoVadis Root Certification Authority
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239021

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239022

BR Audit Period End Date: 2019-12-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239023

EV Audit Period End Date: 2019-12-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT)
Root Certificates:
   AC RAIZ FNMT-RCM SERVIDORES SEGUROS
   FNMT-RCM - SHA256
Standard Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf

Standard Audit Period End Date: 2020-01-12
BR Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v2.pdf

BR Audit Period End Date: 2020-01-12
BR Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf

BR Audit Period End Date: 2020-01-12
EV Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v2.pdf

EV Audit Period End Date: 2020-01-12
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Taiwan-CA Inc. (TWCA)
Root Certificates:
   TWCA Global Root CA**
   TWCA Root Certification Authority**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238799

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238800

BR Audit Period End Date: 2019-12-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238801

EV Audit Period End Date: 2019-12-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Trustis
Root Certificates:
   Trustis Limited - Trustis FPS Root CA
Standard Audit: 
https://bug1360184.bmoattachments.org/attachment.cgi?id=9146189

Standard Audit Period End Date: 2020-01-15
BR Audit: https://bug1360184.bmoattachments.org/attachment.cgi?id=9146189
BR Audit Period End Date: 2020-01-15
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Asseco Data Systems S.A. (previously Unizeto Certum)
Root Certificates:
   Certum Trusted Network CA 2
   Certum CA
   Certum Trusted Network CA
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239794

Standard Audit Period End Date: 2020-02-10
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239795

BR Audit Period End Date: 2020-02-10
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239796

EV Audit Period End Date: 2020-02-10
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of The Netherlands, PKIoverheid (Logius)
Root Certificates:
   Staat der Nederlanden Root CA - G3
   Staat der Nederlanden EV Root CA
Standard Audit: 

CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

[Kathleen Wilson via dev-security-policy]

All,

As previously discussed, there is a section on root and intermediate 
certificate pages in the CCADB called ‘Pertaining to Certificates Issued 
by this CA’, and it currently has one field called 'Full CRL Issued By 
This CA'.


Proposal: Add field called 'JSON Array of Partitioned CRLs Issued By 
This CA'


Description of this proposed field:
When there is no full CRL for certificates issued by this CA, provide a 
JSON array whose elements are URLs of partitioned, DER-encoded CRLs that 
when combined are the equivalent of a full CRL. The JSON array may omit 
obsolete partitioned CRLs whose scopes only include expired certificates.


Example:

[
  "http://cdn.example/crl-1.crl;,
  "http://cdn.example/crl-2.crl;
]



Additionally, I propose adding a new section to 
https://www.ccadb.org/cas/fields called “Revocation Information”.


The proposed draft for this new section is here:
https://docs.google.com/document/d/1uVK0h4q5BSrFv6e86f2SwR5m2o9Kl1km74vG4HnkABw/edit?usp=sharing


I will appreciate your input on this proposal.

Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminders for Intermediate Certs

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of March 2021 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 2 Mar 2021 15:00:24 + (GMT)


CA Owner: SECOM Trust Systems CO., LTD.
   - Certificate Name: JPRS Organization Validation Authority - G3
SHA-256 Fingerprint: 
21C066332D6B92DD9A253E2637684A5BC3E31357F863BED7A2F98C8459A33B62

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

   - Certificate Name: JPRS Domain Validation Authority - G3
SHA-256 Fingerprint: 
659B7A518C6C9EB18AA1EB35AEBA7A0247817B898C1FA1840F97D2877D9A20E4

Standard Audit Period End Date (mm/dd/): 10/29/2019
BR Audit Period End Date (mm/dd/): 10/29/2019

Comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1695993



CA Owner: AC Camerfirma, S.A.
   - Certificate Name: InfoCert Organization Validation CA 3
SHA-256 Fingerprint: 
247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84

Standard Audit Period End Date (mm/dd/): 11/27/2019
BR Audit Period End Date (mm/dd/): 11/27/2019

   - Certificate Name: Intesa Sanpaolo Organization Validation CA
SHA-256 Fingerprint: 
27CDD699DE15EE88A05BB10ED9DF2FC5E4CA25B5FDD42988963A38EC8940D55A

Standard Audit Period End Date (mm/dd/): 11/28/2019
BR Audit Period End Date (mm/dd/): 11/28/2019




___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Audit Reminder Email Summary

[Kathleen Wilson via dev-security-policy]

 Forwarded Message 
Subject: Summary of February 2021 Audit Reminder Emails
Date: Tue, 16 Feb 2021 20:01:02 + (GMT)


Mozilla: Audit Reminder
CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR)
Root Certificates:
   SZAFIR ROOT CA2
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238854

Standard Audit Period End Date: 2019-12-18
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238855

BR Audit Period End Date: 2019-12-18
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Hong Kong (SAR), Hongkong Post, Certizen
Root Certificates:
   Hongkong Post Root CA 3
   Hongkong Post Root CA 1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238797

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238798

BR Audit Period End Date: 2019-12-31
EV Audit: https://www.ecert.gov.hk/ev/Webtrust_EVSSL_2019.pdf
EV Audit Period End Date: 2019-11-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: QuoVadis
Root Certificates:
   QuoVadis Root CA 1 G3
   QuoVadis Root CA 2
   QuoVadis Root CA 2 G3
   QuoVadis Root CA 3
   QuoVadis Root CA 3 G3
   QuoVadis Root Certification Authority
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239021

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239022

BR Audit Period End Date: 2019-12-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239023

EV Audit Period End Date: 2019-12-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT)
Root Certificates:
   FNMT-RCM - SHA256
Standard Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf

Standard Audit Period End Date: 2020-01-12
BR Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf

BR Audit Period End Date: 2020-01-12
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Taiwan-CA Inc. (TWCA)
Root Certificates:
   TWCA Global Root CA
   TWCA Root Certification Authority
Standard Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238799

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238800

BR Audit Period End Date: 2019-12-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/cpachandler.ashx?AttachmentID=238801

EV Audit Period End Date: 2019-12-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Trustis
Root Certificates:
   Trustis Limited - Trustis FPS Root CA
Standard Audit: 
https://bug1360184.bmoattachments.org/attachment.cgi?id=9146189

Standard Audit Period End Date: 2020-01-15
BR Audit: https://bug1360184.bmoattachments.org/attachment.cgi?id=9146189
BR Audit Period End Date: 2020-01-15
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of The Netherlands, PKIoverheid (Logius)
Root Certificates:
   Staat der Nederlanden Root CA - G3
   Staat der Nederlanden EV Root CA
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238851

Standard Audit Period End Date: 2019-12-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238852

BR Audit Period End Date: 2019-12-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=238853

EV Audit Period End Date: 2019-12-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Amazon Trust Services
Root Certificates:
   Amazon Root CA 3
   Amazon Root CA 2
   Amazon Root CA 1
   Amazon Root CA 4
   Starfield Services Root Certificate Authority - G2
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239088

Standard Audit Period End Date: 2020-01-15
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239089

BR Audit Period End Date: 2020-01-15
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=239090

EV Audit Period End Date: 2020-01-15
CA Comments: null



Mozilla: Overdue Audit Statements
CA Owner: Buypass
Root Certificates:
   Buypass Class 2 Root CA**
   Buypass Class 3 Root CA**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.buypass.com/the-company/certification/_/attachment/download/413dca90-da68-483e-80e4-3978e33a8e98:76247c1b8cacd26f80531a2929c2a739db2b5159/ETS%20018.pdf

Standard Audit Period End Date: 2019-10-31
BR Audit: