Re: Feasibility of a binding commitment to revoke before issuance

Mike and Amir, Here are some of the goals that come to my mind from the perspective of the Mozilla Root Program, followed by my short response concerning what to do with the current framework. 1. Security and Privacy of Users: Our foremost goal, from Principle #4 of the Mozilla Manifesto

Re: Feasibility of a binding commitment to revoke before issuance

Thanks, everyone, for keeping this conversation going. It's essential that we continue because I believe the current framework is unworkable. Ben On Wed, Jul 24, 2024 at 2:53 PM Mike Shaver wrote: > On Wed, Jul 24, 2024 at 2:36 PM 'Ben Wilson' via > dev-security-policy@mozilla.org

Re: Feasibility of a binding commitment to revoke before issuance

Dear Tim and Matt, Thank you both for your insightful comments and contributions to the ongoing discussion regarding timely certificate revocation. Your perspectives are invaluable as we strive to find balanced and effective solutions to this problem. Tim, your proposal to identify

Reminder: Mozilla's Community Participation Guidelines and Bugzilla Etiquette

Dear Community Members, As part of our ongoing commitment to fostering a respectful and productive environment, I would like to remind everyone of the importance of adhering to Mozilla’s Community Participation Guidelines

Re: Phasing out Legacy S/MIME Certificates

Greetings, I am writing to you as a reminder regarding future compliance of S/MIME certificates with the multi-purpose and strict profiles established by the CA/B Forum. As noted before, the Mozilla Root Store Policy incorporates the CA/B Forum's S/MIME Baseline Requirements (S/MIME BRs).

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

Thanks for reconfirming. I should have noted in my initial post that these three roots are just for the websites trust bit, and I am going to continue to assume that all three will be EV-enabled. Ben On Thu, Jul 11, 2024 at 4:19 AM Mitsuyoshi Tamura < mitsuyoshi.tam...@miraclelinux.com> wrote: >

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

Dear Mitsuyoshi, Thanks for your response. For purposes of Mozilla trust bits - "websites" and "email", could you specify at this time the key purpose for CA14 and CA15? Ben On Tue, Jul 9, 2024 at 8:50 PM Mitsuyoshi Tamura < mitsuyoshi.tam...@miraclelinux.com> wrote: > Greetings, > We are

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

g EKS, but the new > set of 3 has Server auth in all of them along with a mix of other EKUs. > > > > When do CAs need to start providing dedicated TLS roots? > > > > Doug > > > > *From:* 'Ben Wilson' via dev-security-policy@mozilla.org < > dev-secur

Intent to Approve Cybertrust / JCSI Japan Root Inclusions

All, >From May 10, 2024, through June 21, 2024, a six-week public discussion was conducted regarding the request from Cybertrust Japan / JCSI for the inclusion of the following root certificates: - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15

Re: Approval of Taiwan CA's Root Inclusion Request

All, We appreciate the feedback and active participation from the community. After careful consideration of all final questions and responses, Mozilla will be proceeding with the inclusion of the TWCA CYBER Root CA (websites trust bit with EV) and TWCA Global Root CA G2 (email trust bit). Thank

Re: Recent Entrust Compliance Incidents

All, We want to thank everybody who has participated in the discussion for their detailed reviews of Entrust's updated report and thoughtful contributions. We have not yet made a final decision and are reviewing the community's comments and Entrust's updated response closely. Sincerely yours,

Draft "Lessons Learned" Wiki Page – Seeking Feedback

Dear Mozilla Community, I am pleased to announce the publication of a new resource aimed at enhancing the compliance practices of Certification Authorities (CAs). The draft "Lessons Learned" wiki page is now available at https://wiki.mozilla.org/CA/Lessons_Learned. Over 1,000 CA compliance

Re: Mozilla delayed revocation incident expectations

I think it would be good to collect and analyze use-case environments from subscribers who have requested delayed revocation, if anyone has bandwidth. Thanks, Ben On Wed, Jun 26, 2024 at 2:15 PM Zacharias Björngren < zacharias.bjorng...@gmail.com> wrote: > ”Non-production services aren’t

Re: Proposal for a 24-hour pause in Entrust Discussion

Hi Wayne, Thank you for your question. I was thinking that the pause would apply to all emails under the subject line "Recent Entrust Compliance Incidents." It would be beneficial for all sides to refrain from posting anything for 24 hour--again to allow everyone to reflect and ensure everything

Proposal for a 24-hour pause in Entrust Discussion

Hi Everyone, In light of the recent exchanges regarding the Entrust report, I would like to propose a 24-hour pause in our discussions. This would give us an opportunity to reflect on the questions asked and the information shared thus far. It will also help to ensure that comments or responses

Re: Recent Entrust Compliance Incidents

Thanks. I think the best way to respond is for each person to gather all of their comments into a single email with a list of remaining issues found and then submit it to this thread. Thanks, Ben On Fri, Jun 21, 2024 at 1:21 PM Mike Shaver wrote: > Thanks, Bruce. > > On first quick read of the

Re: Recent Entrust Compliance Incidents

ossible and not be >>> posted in piecemeal fashion. >>> >> >> Touché… >> >> Mike >> >> Thanks, >>> >>> Ben >>> >>> >>>> >>>> Does this mean that Mozilla feels that the action items liste

Re: Distrust dates for GLOBALTRUST 2020 CA

Dear Andrew and all, We understand your concerns. We are evaluating and considering your suggestions. Thanks, Ben Wilson Mozilla Root Program Manager On Tuesday, June 11, 2024 at 4:58:02 PM UTC-6 rdau...@gmail.com wrote: > I have to echo the sentiments, and question what setting a

Re: Distrust dates for GLOBALTRUST 2020 CA

> > Regards, > Andrew > > On Tue, 11 Jun 2024 08:59:25 -0600 > "'Ben Wilson' via dev-security-policy@mozilla.org" > wrote: > > > All, > > > > We appreciate the comments received from the community on m-d-s-p and > > in Bugzilla regarding s

Re: Distrust dates for GLOBALTRUST 2020 CA

ev-security-policy@mozilla.org wrote: > >> Here is the Bugzilla bug - >> https://bugzilla.mozilla.org/show_bug.cgi?id=1901080 >> Ben >> >> On Tuesday, June 11, 2024 at 9:43:33 AM UTC-6 Mike Shaver wrote: >> >>> On Tue, Jun 11, 2024 at 11:39 AM 'Ben Wilson'

Re: Distrust dates for GLOBALTRUST 2020 CA

Here is the Bugzilla bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1901080 Ben On Tuesday, June 11, 2024 at 9:43:33 AM UTC-6 Mike Shaver wrote: > On Tue, Jun 11, 2024 at 11:39 AM 'Ben Wilson' via > dev-security-policy@mozilla.org wrote:. > >> Our long-term plan is to enhan

Re: Distrust dates for GLOBALTRUST 2020 CA

be > taken into account. If solely based on NotBefore, are you monitoring for > backdated certificates in any way? > > Thanks, > > -dadrian > > On Tue, Jun 11, 2024 at 10:59 AM 'Ben Wilson' via > dev-security-policy@mozilla.org wrote: > >> All, >> &g

Distrust dates for GLOBALTRUST 2020 CA

All, We appreciate the comments received from the community on m-d-s-p and in Bugzilla regarding several recent incidents involving e-commerce monitoring GmbH (ECM). A summary of the most recent Bugzilla incidents has been published on the Mozilla wiki,

Re: Recent Entrust Compliance Incidents

> Thanks, >> >> Ben >> >> >>> >>> Does this mean that Mozilla feels that the action items listed in that >>> bug are sufficiently detailed and concrete that they are appropriate as >>> steps for Entrust to take at this point? >>> >>&g

Re: Recent Entrust Compliance Incidents

t; Does this mean that Mozilla feels that the action items listed in that bug > are sufficiently detailed and concrete that they are appropriate as steps > for Entrust to take at this point? > > Mike > > On Mon, Jun 10, 2024 at 4:16 PM 'Ben Wilson' via &g

Re: Recent Entrust Compliance Incidents

All, This is to acknowledge that we have received Entrust's June 7 Report regarding its non-compliance issues and associated remediation plans. Mozilla will thoroughly review the report and provide comments, requests for clarifications, and verify that the requested items have been and will be

Re: Recent Entrust Compliance Incidents

All, I have created Bugzilla Bug#1901270 as an Entrust "meta" bug for gathering all action items that will be included in their report. Please don't comment yet in that bug until Entrust has submitted its report and populated the Bugzilla

Approval of Taiwan CA's Root Inclusion Request

Greetings, Public discussion regarding inclusion of the TWCA CYBER Root CA (websites trust bit with EV) and the TWCA Global Root CA G2 (email trust bit) began on the CCADB Public List on April 22, 2024 ( https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/vqn7iTHEAwAJ) and concluded

Help Improve the Mozilla Root Store Policy

All, I am collecting suggested updates to improve the Mozilla Root Store Policy (MRSP). Share your thoughts on how we can make the MRSP more clear and better for improving Internet security. Feel free to

Re: Vulnurability Disclosure - How does it happen?

Amir, To answer the last question first, Chunghwa Telecom did not disclose this recent attack, but I don't think we have sufficient information from the article to determine the effects of the breach on the CA operations. So without more information, it might be premature to answer the question,

Re: Recent Entrust Compliance Incidents

00 UTC with all > certificates being revoked by 2023-11-26 14:50 UTC, but I don't think > that's correct if that was the case. > > On Friday, May 10th, 2024 at 5:27 PM, 'Ben Wilson' via > dev-security-policy@mozilla.org wrote: > > Here are draft summaries of the additional hist

Re: Recent Entrust Compliance Incidents

gi?id=1802916 > https://bugzilla.mozilla.org/show_bug.cgi?id=1804753 > https://bugzilla.mozilla.org/show_bug.cgi?id=1867130 > > On Tue, May 7, 2024 at 7:59 AM 'Ben Wilson' via > dev-security-policy@mozilla.org > wrote: > > > > Dear Mozilla Community, > > > > Ove

Recent Entrust Compliance Incidents

Dear Mozilla Community, Over the past couple of months, a substantial number of compliance incidents have arisen in relation to Entrust. We have summarized these recent incidents in a dedicated wiki page: https://wiki.mozilla.org/CA/Entrust_Issues. In brief, these incidents arose out of

Re: comment on Entrust_Issues wiki page

All, I hadn't announced this page yet, hoping to reference it in an email currently undergoing internal review. But thanks for your comment. I'll see about posting the email as soon as I can. Thanks, Ben On Mon, May 6, 2024 at 3:58 PM Mike Shaver wrote: > The page lists the following issue: > >

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

Hi Amir, Here is a quick update on this issue, while I continue working on a summary of the discussion concerning the acquisition of e-commerce monitoring by AUSTRIA CARD. Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) has required that ETSI auditors be members of the