On September 20, 2021, we began a three-week public discussion[1] on a request from ISRG/Let’s Encrypt for inclusion of its ECDSA root certificate, the ISRG Root X2.[2] (Step 4 of the Mozilla Root Store CA Application Process[3]).
*Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:* Today I closed bug #1729567 <https://bugzilla.mozilla.org/show_bug.cgi?id=1729567> (Delay updating OCSP responses) because ISRG has, among other improvements, updated its internal monitoring and alerting to ensure maintenance of timely OCSP responses. (ISRG had served OCSP responses which had not been updated in the previous 4 days, in violation of the Baseline Requirements, Section 4.9.10.) ISRG currently has the following remaining bugs open: 1715455 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715455> Issuance of certificates with an extra second beyond the lifetime stated by ISRG in its own CP/CPS. This was not a violation of the Baseline Requirements. The ISRG CP and CPS have been revised for consistency with actual practice. I consider this matter to be mostly addressed, pending resolution of Bug #1715672, below. (Also, ISRG is developing a retrospective review of its historical CA Compliance incidents.) 1715672 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715672> Related to Bug #1715455 above. ISRG has declared its intent to not revoke these certificates. ISRG will test an additional fix (by removing the one additional second in the validity period) in its staging environment on or by 2021-11-12. 1735247 <https://bugzilla.mozilla.org/show_bug.cgi?id=1735247> As of 2021-10-01, the Baseline Requirements require that “the Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name MUST consist solely of Domain Labels that are P-Labels or Non-Reserved LDH Labels”. ISRG mis-issued 7 certificates that were non-compliant with domain labels like a---foo (Reserved Labels that were not P-Labels). ISRG immediately patched its issuance software. It is implementing a pre-issuance lint check, as an additional measure, and I intend to close this bug on or about next Wed. 20-Oct-2021, unless there are any objections or further questions. We did not receive any objections or other questions or comments in opposition to ISRG’s request. I do not believe that the issues listed above merit a delay in Mozilla’s approval decision, and any further discussion of these issues can take place in their respective Bugzilla bugs. *Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: * This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve ISRG’s/Let’s Encrypt’s request (Step 10). This begins a 7-day “last call” period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/bE_aRuWxCAAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1701317 [3] https://wiki.mozilla.org/CA/Application_Process#Process_Overview On Mon, Sep 20, 2021 at 11:13 AM Ben Wilson <[email protected]> wrote: > A root inclusion request has been submitted by Internet Security Research > Group (Let’s Encrypt). This is to announce the beginning of the public > discussion phase of the Mozilla root CA inclusion process (see > https://wiki.mozilla.org/CA/Application_Process#Process_Overview (Steps 4 > through 9) to add the ISRG Root X2 (EC secp384r1) to the root store in > order for Let's Encrypt to be able to provide a full chain with ECDSA > support. > > The application has been tracked in the CCADB and in Bugzilla as follows: > > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000749 > > https://bugzilla.mozilla.org/show_bug.cgi?id=1701317 > > Mozilla is considering approving ISRG’s inclusion request. This email > begins a 3-week comment period, after which, if no concerns are raised, we > will close the discussion and the request may proceed to the approval phase > (Step 10). > > > *Root Certificate Information:* > > *ISRG Root X2* > > > https://crt.sh/?q=69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470 > > Download – https://letsencrypt.org/certs/isrg-root-x2.pem > > > > *CP/CPS:* > > The current CP and CPS were published August 20, 2021 – > > *CP-* https://letsencrypt.org/documents/isrg-cp-v3.1/ > > *CPS-* https://letsencrypt.org/documents/isrg-cps-v4.1/ > > Most Recent CP/CPS review - > https://bugzilla.mozilla.org/show_bug.cgi?id=1701317#c8 > > Repository location: https://letsencrypt.org/repository/ > > > > *Audits:* > > ISRG’s WebTrust auditor is Schellman & Company, LLC. ISRG’s last audit > report was dated October 2, 2020. > > The 2020 WebTrust audits (PDF) may be downloaded here: > > *Standard* - > https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247931 > > *BR* - > https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247932 > > > ISRG incidents since January 1, 2020, include the following: > > 1619047 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619047> > > CAA Rechecking bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1619047> > > Fixed > > 1619179 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619179> > > Incomplete revocation for CAA rechecking bug > <https://bugzilla.mozilla.org/show_bug.cgi?id=1619179> > > Fixed > > 1625322 <https://bugzilla.mozilla.org/show_bug.cgi?id=1625322> > > Failure to revoke key-compromised certificates within 24 hours > <https://bugzilla.mozilla.org/show_bug.cgi?id=1625322> > > Fixed > > 1627614 <https://bugzilla.mozilla.org/show_bug.cgi?id=1627614> > > Failure to revoke key-compromised certificates within 24 hours > <https://bugzilla.mozilla.org/show_bug.cgi?id=1627614> > > Fixed > > 1639794 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639794> > > Failure to revoke key-compromised certificate within 24 hours > <https://bugzilla.mozilla.org/show_bug.cgi?id=1639794> > > Fixed > > 1645276 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645276> > > Expired ISRG Root OCSP X1 Certificate > <https://bugzilla.mozilla.org/show_bug.cgi?id=1645276> > > Fixed > > 1648840 <https://bugzilla.mozilla.org/show_bug.cgi?id=1648840> > > OCSP responses with no revocationReason > <https://bugzilla.mozilla.org/show_bug.cgi?id=1648840> > > Fixed > > 1666047 <https://bugzilla.mozilla.org/show_bug.cgi?id=1666047> > > 302 total OCSP responses available beyond acceptable timelines > <https://bugzilla.mozilla.org/show_bug.cgi?id=1666047> > > Fixed > > 1684112 <https://bugzilla.mozilla.org/show_bug.cgi?id=1684112> > > Failure to audit log subscriber certificate OCSP updates > <https://bugzilla.mozilla.org/show_bug.cgi?id=1684112> > > Fixed > > 1715455 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715455> > > certificate lifetimes 90 days plus one second > <https://bugzilla.mozilla.org/show_bug.cgi?id=1715455> > > Open > > 1715672 <https://bugzilla.mozilla.org/show_bug.cgi?id=1715672> > > Failure to revoke for Certificate Lifetime Incident > <https://bugzilla.mozilla.org/show_bug.cgi?id=1715672> > > Open > > 1729567 <https://bugzilla.mozilla.org/show_bug.cgi?id=1729567> > > Delay updating OCSP responses > <https://bugzilla.mozilla.org/show_bug.cgi?id=1729567> > > Open > > > > Thus, this email begins a three-week public discussion period, which I’m > scheduling to close on or about 11-October-2021. > > A representative of ISRG/Let’s Encrypt must promptly respond directly in > the discussion thread to all questions that are posted. > > > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ6apD5jU86G_fA3aM81gj%2BufTV_UzJHMVG%3DAzG9OQT9Q%40mail.gmail.com.
