All, Under Step 10 of the https://wiki.mozilla.org/CA/Application_Process, this is notice of a "further question or concern" that has arisen concerning GlobalSign's issuance of a 1024-bit RSA certificate. See https://bugzilla.mozilla.org/show_bug.cgi?id=1690807. GlobalSign has indicated that it will provide an incident report by next Tuesday, 9-Feb-2021. Thanks, Ben
On Tue, Feb 2, 2021 at 5:48 PM Ben Wilson <bwil...@mozilla.com> wrote: > On January 11, 2021, we began the public discussion period [Step 4 of the > Mozilla Root Store CA Application Process > <https://wiki.mozilla.org/CA/Application_Process>] for the > above-referenced GlobalSign inclusion request. > > *Summary of Discussion and Completion of Action Items [Steps 5-8]:* > > Recently, Ryan Sleevi noted that GlobalSign is transitioning to a better > Root CA hierarchy with single-purpose roots. This will lead to less risk > due to fewer cross-dependencies from other uses of PKI. He also noted that > GlobalSign has improved the quality of its incident reporting and > remediation. I agree on both of these points. > > While GlobalSign currently has six matters open in Bugzilla, none of these > should be a reason to delay approval of this inclusion request. > > 1591005 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> – the > relevant issuing CAs have been revoked (nearly closed, waiting on a final > key destruction report) > > 1649937 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> - > Incorrect OCSP Delegated Responder Certificate issue - GlobalSign ceased > including the OCSP signing EKU in any newly generated issuing CA > (approximately 10 remaining issuing CAs affected by issue are on schedule > to be revoked) > > 1651447 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> – Delayed > CA revocation, per issue # 1649937 above (GlobalSign is switching over from > old to newer infrastructure, as described in this and other bugs) > > 1664328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> - SHA-256 > hash algorithm used with ECC P-384 key (almost closed, status update needed) > > 1667944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> – Empty > SingleExtension in OCSP responses (migration to new OCSP responders nearly > completed) > > 1668007 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> – Country > name in stateOrProvinceName field (almost closed, status update needed) > > This is notice that I am closing public discussion [Step 9] and that it is > Mozilla’s intent to approve GlobalSign's request for inclusion [Step 10]. > > > This begins a 7-day “last call” period for any final objections. > > Thanks, > > Ben > > On Mon, Feb 1, 2021 at 10:18 AM Ben Wilson <bwil...@mozilla.com> wrote: > >> This is a reminder that I will close discussion on this tomorrow. >> >> On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson <bwil...@mozilla.com> wrote: >> >>> This is to announce the beginning of the public discussion phase of the >>> Mozilla root CA inclusion process for GlobalSign. >>> >>> See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >>> (Steps 4 through 9). >>> >>> GlobalSign has four (4) new roots to include in the root store. Two >>> roots, one RSA and another ECC, are to support server authentication >>> (Bugzilla Bug # 1570724 >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1570724>) while two other >>> roots are for email authentication, RSA and ECC (Bugzilla Bug # 1637269 >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1637269>). >>> >>> Mozilla is considering approving GlobalSign’s request(s). This email >>> begins the 3-week comment period, after which, if no concerns are raised, >>> we will close the discussion and the request may proceed to the approval >>> phase (Step 10). >>> >>> *A Summary of Information Gathered and Verified appears here in these >>> two CCADB cases:* >>> >>> >>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000469 >>> >>> >>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000596 >>> >>> *Root Certificate Information:* >>> >>> *GlobalSign Root R46 * >>> >>> crt.sh - >>> https://crt.sh/?q=4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9 >>> >>> Download - https://secure.globalsign.com/cacert/rootr46.crt >>> >>> *GlobalSign Root E46* >>> >>> crt.sh - >>> https://crt.sh/?q=CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058 >>> >>> Download - https://secure.globalsign.com/cacert/roote46.crt >>> >>> *GlobalSign Secure Mail Root R45 * >>> >>> crt.sh - >>> https://crt.sh/?q=319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974 >>> >>> Download - https://secure.globalsign.com/cacert/smimerootr45.crt >>> >>> *GlobalSign Secure Mail Root E45 * >>> >>> crt.sh - >>> https://crt.sh/?q=5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19 >>> >>> Download - https://secure.globalsign.com/cacert/smimeroote45.crt >>> >>> >>> *CP/CPS:* >>> >>> https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.6_final.pdf >>> >>> The current GlobalSign CPS is version 9.6, published 29-December-2020. >>> >>> Repository location: https://www.globalsign.com/en/repository >>> >>> *BR Self-Assessment* (Excel) is located here: >>> >>> https://bugzilla.mozilla.org/attachment.cgi?id=9082310 >>> >>> *Audits:* GlobalSign is audited annually in accordance with the >>> WebTrust criteria by Ernst & Young, Belgium, which found in June 2020 that >>> “throughout the period April 1, 2019 to March 31, 2020, GlobalSign >>> management’s assertion, as referred to above, is fairly stated, in all >>> material respects, in accordance with the WebTrust Principles and Criteria >>> for Certification Authorities - SSL Baseline with Network Security, Version >>> 2.3.” The WebTrust audit noted the following 13 Bugzilla incidents, >>> which had been previously reported as of that audit date: >>> >>> 1 Misissuance of QWAC certificates. >>> >>> 2 Issue with an OCSP responder status. >>> >>> 3 Some SSL certificates with US country code and invalid State/Prov have >>> been issued. >>> >>> 4 ICAs in CCADB, without EKU extension are listed in WTCA report but not >>> in WTBR report. >>> >>> 5 OCSP responders found to respond signed by the default CA when passed >>> an invalid issuer in request. >>> >>> 6 Wrong business category on 3 EV SSL certificates. >>> >>> 7 OCSP Responder returned invalid values for some precertificates. >>> >>> 8 Customer running an on-premise (technically-constrained) CA that >>> chains to a GlobalSign root, issued certificates without AIA extension. >>> >>> 9 Misissued 4 certificates with invalid CN. >>> >>> 10 Certificates with Subject Public Key Info lacking the explicit NULL >>> parameter. >>> >>> 11 Untimely revocation of TLS certificate after submission of private >>> key compromise. >>> >>> 12 Unable to revoke 2 noncompliant QWACs within 5 days. >>> >>> 13 Unable to revoke noncompliant ICA within 7 days >>> >>> >>> >>> *Incident Reports / Mis-Issuances * >>> >>> The following bugs/incidents remain open and are being worked on. >>> >>> 1667944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> >>> >>> Empty SingleExtension in OCSP responses >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1667944> >>> >>> 1651447 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> >>> >>> Failure to revoke noncompliant ICA within 7 days >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1651447> >>> >>> 1591005 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> >>> >>> ICAs in CCADB, without EKU extension are listed in WTCA report but not >>> in WTBR report <https://bugzilla.mozilla.org/show_bug.cgi?id=1591005> >>> >>> 1649937 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> >>> >>> Incorrect OCSP Delegated Responder Certificate >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1649937> >>> >>> 1668007 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> >>> >>> Invalid stateOrProvinceName value >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1668007> >>> >>> 1664328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> >>> >>> SHA-256 hash algorithm used with ECC P-384 key >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1664328> >>> >>> 1575880 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> >>> >>> SSL Certificates with US country code and invalid State/Prov >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1575880> >>> >>> >>> >>> No misissuances were found under these roots, and the CA certificates >>> passed technical tests. >>> >>> Thus, this email begins a three-week public discussion period, which I’m >>> scheduling to close on or about Tuesday, 2-February-2021. >>> >>> >>> >>> Sincerely yours, >>> >>> Ben Wilson >>> >>> Mozilla Root Program >>> >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy