A root inclusion request has been submitted by Internet Security Research Group (Let’s Encrypt). This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (see https://wiki.mozilla.org/CA/Application_Process#Process_Overview (Steps 4 through 9) to add the ISRG Root X2 (EC secp384r1) to the root store in order for Let's Encrypt to be able to provide a full chain with ECDSA support.
The application has been tracked in the CCADB and in Bugzilla as follows: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000749 https://bugzilla.mozilla.org/show_bug.cgi?id=1701317 Mozilla is considering approving ISRG’s inclusion request. This email begins a 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). *Root Certificate Information:* *ISRG Root X2* https://crt.sh/?q=69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470 Download – https://letsencrypt.org/certs/isrg-root-x2.pem *CP/CPS:* The current CP and CPS were published August 20, 2021 – *CP-* https://letsencrypt.org/documents/isrg-cp-v3.1/ *CPS-* https://letsencrypt.org/documents/isrg-cps-v4.1/ Most Recent CP/CPS review - https://bugzilla.mozilla.org/show_bug.cgi?id=1701317#c8 Repository location: https://letsencrypt.org/repository/ *Audits:* ISRG’s WebTrust auditor is Schellman & Company, LLC. ISRG’s last audit report was dated October 2, 2020. The 2020 WebTrust audits (PDF) may be downloaded here: *Standard* - https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247931 *BR* - https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247932 ISRG incidents since January 1, 2020, include the following: 1619047 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619047> CAA Rechecking bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1619047> Fixed 1619179 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619179> Incomplete revocation for CAA rechecking bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1619179> Fixed 1625322 <https://bugzilla.mozilla.org/show_bug.cgi?id=1625322> Failure to revoke key-compromised certificates within 24 hours <https://bugzilla.mozilla.org/show_bug.cgi?id=1625322> Fixed 1627614 <https://bugzilla.mozilla.org/show_bug.cgi?id=1627614> Failure to revoke key-compromised certificates within 24 hours <https://bugzilla.mozilla.org/show_bug.cgi?id=1627614> Fixed 1639794 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639794> Failure to revoke key-compromised certificate within 24 hours <https://bugzilla.mozilla.org/show_bug.cgi?id=1639794> Fixed 1645276 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645276> Expired ISRG Root OCSP X1 Certificate <https://bugzilla.mozilla.org/show_bug.cgi?id=1645276> Fixed 1648840 <https://bugzilla.mozilla.org/show_bug.cgi?id=1648840> OCSP responses with no revocationReason <https://bugzilla.mozilla.org/show_bug.cgi?id=1648840> Fixed 1666047 <https://bugzilla.mozilla.org/show_bug.cgi?id=1666047> 302 total OCSP responses available beyond acceptable timelines <https://bugzilla.mozilla.org/show_bug.cgi?id=1666047> Fixed 1684112 <https://bugzilla.mozilla.org/show_bug.cgi?id=1684112> Failure to audit log subscriber certificate OCSP updates <https://bugzilla.mozilla.org/show_bug.cgi?id=1684112> Fixed 1715455 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715455> certificate lifetimes 90 days plus one second <https://bugzilla.mozilla.org/show_bug.cgi?id=1715455> Open 1715672 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715672> Failure to revoke for Certificate Lifetime Incident <https://bugzilla.mozilla.org/show_bug.cgi?id=1715672> Open 1729567 <https://bugzilla.mozilla.org/show_bug.cgi?id=1729567> Delay updating OCSP responses <https://bugzilla.mozilla.org/show_bug.cgi?id=1729567> Open Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 11-October-2021. A representative of ISRG/Let’s Encrypt must promptly respond directly in the discussion thread to all questions that are posted. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYyj1JLuhKwkVp4J96mObfEA%2Bb0e7TUQaXSe80%2BdFVTEA%40mail.gmail.com.
