All, March 1 was the scheduled end of public discussion on this matter. However, I have one unresolved question that I have presented to the CA operator and its audit firm regarding ACAB'c membership (see MRSP section 3.2). As soon as I hear back on that question, I'll provide a summary of the entire discussion here. Thanks, Ben
On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at wrote: > *Preface* > > The only thing that changed is the ownership, and the ownership is > represented by the new management. This only formal change has already been > notified to the authorities and approved and registered. The rest remains > unchanged. > > e-commerce monitoring GmbH fulfills different trust service requirements > from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, > remains a member of the European Trust List (EUTL) as before and is > permanently monitored by the Austrian Supervisory Body (RTR/TKK) and > regularly assessed by a Conformity Assessment Body. > > The management has changed from Hans G. Zeger to Emmanouil Kontos and > Markus Kirchmayr. The takeover of the company includes the taking over of > the existing, trained and trusted staff which results in no changes except > top management. e-commerce monitoring GmbH continues to provide > certification and trust services according to the respective policies. > > It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully > comply with the Browser/OS Root Store Policies. > > > *Ownership and Governance* > > The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of > e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD > HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und > Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD > HOLDINGS AG). > > AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries > in Europe and the USA (please find more details in the prospectus on > AUSTRIACARD´s website ( > https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf > ) > > Emmanouil Kontos is the Managing Director of the company and authorized to > represent the company solely. Markus Kirchmayr is authorized to represent > the company jointly with Emmanouil Kontos. Both will not take any trusted > roles in the CA operations. > > e-commerce monitoring GmbH is maintaining the Key Management as well as > the respective roles of Key Manager and Key Custodian through the existing, > trained and trusted staff > > Major decisions regarding finance and management topics are made by the > Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr > Major decisions regarding operative topics are made by the Managing > Director Emmanouil Kontos in consultation with the key manager. The > decision making structure can be defined as follows: > > · Define the problem or decision that needs to be madeGather > information and options > > · Analyze the information and options > > · Select the best option > > · Plan for implementation > > · Implement the plan > > > *Investment and Budget* > > e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA > CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is > classified as “große Kapitalgesellschaft” (large corporation) and therefore > needs to comply with all regulations of the Austrian GmbHG (limited > liabilities company Act) and UGB (Commercial Code). > > In addition e-commerce monitoring GmbH is therefore part of group of > companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große > Kapitalgesellschaft” (large corporation) and in addition is a listed > company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD > HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz > (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). > > AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with > over 40 years of experience in providing high security solutions, is > maintaining an Information Security Management System as part of the ISO > 27001 framework which is certified and audited on a regular basis. > Furthermore Austria Card has established security policies and process to > comply and be certified according other security standards like ISO 14298 > as well as Payment Card Industry standards PCI CP, PCI DSS and a > qualification management system according to ISO 9001:2015. > > In the interest of fair competition we prefer not to disclose any > strategic, budget or any other internal confidential information. > > > *Community Engagement* > > e-commerce monitoring GmbH is committed to serving a diverse range of > communities, both locally and globally. Further, we strive to create > products and services that meet the needs of various demographics. > Additionally, we prioritize inclusivity and accessibility, ensuring that > our offerings are accessible to individuals from all walks of life. > > e-commerce monitoring GmbH is actively monitoring various legal > information databases, other sources like Certification Authorities and > Trust Service Providers portals by ETSI, the websites of CA Browser Forum > and root store operators as well as participation and exchange of > information with various industry partners through events and projects. > > Additionally, e-commerce monitoring GmbH has established partnerships with > regulatory institutions, security researchers, certification partners as > well as customer relations which pro-actively inform e-commerce monitoring > GmbH regarding significant changes, requirements and risks concerning > security and compliance throughout the whole Web PKI. > > > *Employees* > > e-commerce monitoring GmbH has established policies like “GLOBALTRUST > Certificate Policy” which continue to apply. > > For reference and directions please consult particularly sections 5.2 > Procedural controls and 5.3 Personnel > > > - Most recent: Version 3.2a / 16th February, 2024 controls > https://service.globaltrust.eu/static/globaltrust-certificate-policy.pd > <https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf> > f > - Prior: Version 3.2 / 19th August 2023: > > https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf > > There is no change to the staff in trusted roles. Employees in trusted > roles remain as they have been. Only the top level management has been > replaced. We are not able to disclose any background information on > individuals. Skills and experience have been audited and, in part, are > known to the Root Program responsible. > > e-commerce monitoring GmbH employs personnel with over 30 years of > experience in cryptography, data protection and in general providing PKI > technology solutions. > > The audited systems implemented by the trusted personnel of e-commerce > monitoring GmbH are fulfilling different trust service requirements from > ISO/IEC, eIDAS / ETSI, CAB Forum to root store policies which additionally > are monitored on a regularly basis both through automated system and manual > audit processes. > > Further, e-commerce monitoring GmbH monitors CA incidents and other > relevant discussions over the following community groups: > > · Bugzilla platform ( > https://wiki.mozilla.org/CA/Incident_Dashboard) > > · dev-security-policy group hosted by Google ( > https://groups.google.com/a/mozilla.org/g/dev-security-policy) > > · CCADB Public group hosted by Google ( > https://groups.google.com/a/ccadb.org/g/public) > > · CAB Forum mailing lists: > > o https://lists.cabforum.org/mailman/listinfo/netsec > > o https://lists.cabforum.org/mailman/listinfo/public > > o https://lists.cabforum.org/mailman/listinfo/smcwg-public > > o https://lists.cabforum.org/mailman/listinfo/validation > > o https://lists.cabforum.org/mailman/listinfo/servercert-wg > > > *Operational Design and Ongoing GRC Management* > > e-commerce monitoring GmbH are designed, built and maintained according to > the requirements including but not limited to ISO/IEC, eIDAS / ETSI, CAB > Forum, root store policies as well as the established policies by > GLOBALTRUST. Additionally, these systems have a continuous audit history > carried out by qualified accredited bodies. The most recent RootCA > GLOBALTRUST 2020 has a gapless cradle-to-the-grave audit including a key > ceremony report and EV readiness attestation. > > e-commerce monitoring GmbH maintains extensive public and internal > documentation which additionally has been presented to and audited by the > Austrian supervisory body (RTR/TKK). > > The audited systems enforce various automated controls and tests including > but not limited to pre-issuance linting tests utilizing the well-known open > source tools. > > e-commerce monitoring GmbH has implemented automated monitoring systems > that permanently evaluate the system security parameters, performance, > availability and the resulting quality KPIs of the trusted services. > Deviations from the expected quality KPIs trigger the notification and > remediation process of our trained IT personnel during working hours and > standby. > > Additionally, manual and automated self-audits are carried out on a > quarterly basis against a random percentage of all issued certificates as > required. > > > > *Auditing* > > e-commerce monitoring GmbH will continue to be evaluated by the auditor > “A-SIT Zentrum für sichere Informationstechnologie” – Austria under the > eIDAS / ETSI audit scheme. > > The most recent audit attestation including auditor’s accreditation scope > and team qualification can be found under the provided URl and follows the > ACAB-c template in its most recent version: > https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf > > The most recent eIDAS conformity assessment report can be found here: > https://service.globaltrust.eu/static/conformity-assessment-2023.pdf > > Here is a quick bottom-up way to reproduce the auditor's qualifications: > > > - Accreditation scope A-SIT: > https://akkreditierung-austria.gv.at/overview (see A-SIT) > - Notification of A-SIT as CAB: (Name “Zentrum für sichere > Informationstechnologie – Austria“ Acronym: “A-SIT”) > - Notification of Akkreditierung Austria as NAB: > https://eidas.ec.europa.eu/efda/browse/notification/cab-nab > - Accreditation / “Akkreditierung Austria” at EA: > > https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ > > A-SIT has been recorded as auditor in the CCADB with Audit Firm Confidence > Status as evaluated by Root Store Managers “High” > https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH > <https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH> > > > On Thursday, February 8, 2024 at 1:19:33 PM UTC+1 e-commerce monitoring > wrote: > >> Dear All, >> >> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >> classified as “große Kapitalgesellschaft” (large corporation) and therefore >> needs to comply with all regulations of the Austrian GmbHG (limited >> liabilities company Act) and UGB (Commercial Code). >> >> e-commerce monitoring GmbH was taken over as a fully functional and >> independent entity inside the AUSTRIA CARD group of companies. The >> certified policies, processes and commitments of e-commerce monitoring GmbH >> continue to apply. >> >> The takeover of the company also includes the taking over of the >> established staff which results in no changes except top management and >> e-commerce monitoring GmbH will continue to adhere and operate according to >> the respective policies. >> >> Best regards, >> Daniel >> >> On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote: >> >>> Hi Aaron, >>> >>> On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable <aa...@letsencrypt.org> >>> wrote: >>> >>>> e-commerce monitoring GmbH currently has multiple open bugzilla tickets >>>> which have not had any updates from their staff in multiple months: >>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 >>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004 >>>> >>> >>> Correct - the questions raised by these incidents still need to be >>> answered. >>> >>> >>>> Does the behavior of the CA being acquired factor into decisions like >>>> this, or just the behavior of the acquiring entity? >>>> >>> >>> The behavior of the entity being acquired and the capabilities and >>> history of the acquiring company are relevant, going back for an >>> unspecified period of time. (Factors to be considered in deciding how far >>> to go back include the nature and severity of any non-compliance and the >>> degree to which any incidents reveal persistent, systemic problems.) >>> >>> >>>> If a distrust conversation were to arise in the future, how do root >>>> programs ensure that bugs filed under previous corporate names are still >>>> included in the analysis? >>>> >>> >>> We have not experienced a lot of M&A/name-change activity recently. I >>> believe the Mozilla Community has sufficient continuity, institutional >>> memory, and community-based knowledge about the history of CA operators. >>> So, I think this concern can be handled when needed with comments from >>> community members, and changes in the names of CA operators should not >>> require that we create a new tracking solution. (If incidents are >>> sufficiently recent or still have relevance, then we could update the >>> Bugzilla bugs "Summaries" by replacing the name of the previous operator >>> with the name of the new entity when there is a name change or CA operator >>> replacement.) >>> >>> Ben >>> >>> >>>> >>>> Thanks, >>>> Aaron >>>> >>>> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson <bwi...@mozilla.com> wrote: >>>> >>>>> Dear Suchan, >>>>> You make a valid point. However, in this case, I wasn't sure how other >>>>> root stores would be handling this. They may have their own processes. >>>>> Also, the distribution on this list is almost 3x greater than on the >>>>> CCADB >>>>> public list, so I decided to post the discussion here. >>>>> If the other root stores want to have a public discussion of this >>>>> acquisition, then we can start a discussion on CCADB Public, too. >>>>> Sincerely yours, >>>>> Ben >>>>> >>>>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo <tjt...@gmail.com> wrote: >>>>> >>>>>> While not have knowledge to comment about acquire itself, doesn't >>>>>> this more fit to ccadb mailing list? I thought root store policy about >>>>>> individual root was moved to there >>>>>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성: >>>>>> >>>>>>> All, >>>>>>> >>>>>>> Recently we were advised that e-commerce monitoring GmbH is being >>>>>>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH. >>>>>>> >>>>>>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is >>>>>>> included in the Mozilla root store. They have advised us of the >>>>>>> following: >>>>>>> >>>>>>> There are no changes to the operation of the CA and RA functions. >>>>>>> >>>>>>> Changes to the corporate structure: >>>>>>> >>>>>>> - New shareholder: >>>>>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. >>>>>>> registered under the number FN 98272v commercial court Vienna >>>>>>> Lamezanstraße 4-8 >>>>>>> 1230 Vienna, Austria >>>>>>> https://www.austriacard.com/ >>>>>>> >>>>>>> - New Management >>>>>>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos >>>>>>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr >>>>>>> old: CEO Hans Zeger >>>>>>> >>>>>>> - Registered headquarter >>>>>>> new: Handelskai 388/621, 1020 Vienna, Austria >>>>>>> old: Redtenbachergasse 20, 1160 Vienna, Austria >>>>>>> >>>>>>> According to section 8.1 of the Mozilla Root Store Policy, “If the >>>>>>> receiving or acquiring company is new to the Mozilla root store, it >>>>>>> MUST >>>>>>> demonstrate compliance with the entirety of this policy. There MUST be >>>>>>> a >>>>>>> public discussion regarding its admittance to the root store. If >>>>>>> Mozilla >>>>>>> reaches a positive conclusion after public discussion, then the >>>>>>> affected >>>>>>> certificate(s) MAY remain in the root store.” >>>>>>> >>>>>>> By this email, I am initiating a four-week public discussion period, >>>>>>> scheduled to close on Friday, 1-March-2024, to allow for at least three >>>>>>> full weeks of public discussion. The first week (Feb. 5 – 9) is >>>>>>> intended to >>>>>>> give the acquiring company time to address the following topics: >>>>>>> >>>>>>> · Compliance with the Mozilla Root Store Policy >>>>>>> >>>>>>> · Ownership and governance >>>>>>> >>>>>>> · Investment and budget for CA operations, risk management, >>>>>>> and compliance >>>>>>> >>>>>>> · Community engagement and involvement in industry groups >>>>>>> >>>>>>> · Employee expertise and continuity >>>>>>> >>>>>>> · Operational design and ongoing GRC management >>>>>>> >>>>>>> · Auditors and auditing >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ben Wilson >>>>>>> >>>>>>> Mozilla Root Store Program >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "dev-secur...@mozilla.org" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to dev-security-po...@mozilla.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/be575e7c-d19c-4e12-905f-67ed240951bdn%40mozilla.org.