On August 25th 2021, Ben Wilson wrote: > This is to announce the beginning of the public discussion phase for Google > Trust Services' (GTS) request to replace five existing root CA certificates > with ones that were re-signed last year, August 13, 2020. See > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 > through 9). > The five roots are as follows: GTS Root R1, GTS Root R2, GTS Root R3, GTS > Root R4, and the GlobalSign ECC Root CA - R4. (A sixth root CA certificate, > the GlobalSign Root CA - R2, was re-signed using SHA1, and so I have removed > it from this inclusion request.) The reason for their replacement is that the > original CA certificates do not contain the digitalSignature key usage bit, > which is required for direct OCSP signing by the CA. (See > https://bugzilla.mozilla.org/show_bug.cgi?id=1652581)
Ben, Kathleen, Clint, Ryan, Ryan, and Ryan, I realize that I'm posting this message quite some time after the end of the 3-week comment period. Sorry about that, but I hope you'll agree that this needs to be discussed... Sectigo recently announced a plan (see bug 1741777) to replace several root certificates for the same reason cited by GTS (i.e., to add the digitalSignature bit), but in https://bugzilla.mozilla.org/show_bug.cgi?id=1741777#c3 Ryan Sleevi wrote "I don't believe the proposed approach actually remediates the compliance issue". The substance of that comment seems to apply just as much to GTS as to Sectigo, but it doesn't appear to have been discussed in relation to GTS's root replacement plan (either in this list thread or in any of the relevant GTS bugs on Bugzilla). Since remediating the compliance issue is the sole reason that GTS are replacing their root certificates, it seems to me that GTS, the root program owners, and the wider community, should consider the potential ramifications of https://bugzilla.mozilla.org/show_bug.cgi?id=1741777#c3 on GTS's root replacement plan right away, before the December 2021 Batch of Root Changes is finalized. Sectigo has paused its root replacement plan, pending the outcome of this discussion. ________________________________ From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> on behalf of Ben Wilson <bwil...@mozilla.com> Sent: 25 August 2021 22:26 To: dev-secur...@mozilla.org <dev-security-policy@mozilla.org> Subject: Public Discussion of Google Trust Services' Request to Replace Root CA Certificates CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. This is to announce the beginning of the public discussion phase for Google Trust Services' (GTS) request to replace five existing root CA certificates with ones that were re-signed last year, August 13, 2020. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FApplication_Process%23Process_Overview&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117830410%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WucnrHhUdM11NujyQiAMVbPK5uN2uuAala6%2FrzMasG8%3D&reserved=0>, (Steps 4 through 9). The five roots are as follows: GTS Root R1, GTS Root R2, GTS Root R3, GTS Root R4, and the GlobalSign ECC Root CA - R4. (A sixth root CA certificate, the GlobalSign Root CA - R2, was re-signed using SHA1, and so I have removed it from this inclusion request.) The reason for their replacement is that the original CA certificates do not contain the digitalSignature key usage bit, which is required for direct OCSP signing by the CA. (See https://bugzilla.mozilla.org/show_bug.cgi?id=1652581<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1652581&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117840364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FJU5FKY2owmKilOQYHgACTnzC7VA4EZwwWkUXU4Czfc%3D&reserved=0>) GTS’ request has been tracked in the CCADB and in Bugzilla as follows: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000666<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozilla%2FPrintViewForCase%3FCaseNumber%3D00000666&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117840364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wWVNil2wmdtwnxEaXgnt5zVIcwczi0KFwXATBMnsRw4%3D&reserved=0> https://bugzilla.mozilla.org/show_bug.cgi?id=1675821<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1675821&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117840364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fdU1RhIlr3K5LaLslV40fEZ2YMfiRydUaxU5eDn6VhI%3D&reserved=0> Mozilla is considering approving GTS’ request. This email begins a 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed with steps required to replace the certificates in question. Root Certificate Information: GTS Root R1 https://crt.sh/?q=D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fq%3DD947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117850315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=C7i9yTdotbWxVL8%2B%2FojV6r9diEHuzRSoEp8SGEYtNYA%3D&reserved=0> Download – https://pki.goog/repo/certs/gtsr1.pem<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcerts%2Fgtsr1.pem&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117850315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LZ0H8yWvXMWDYt2n64QPLrd1MRPSWtEd2iSu%2B97ByC4%3D&reserved=0> Replaces https://crt.sh/?id=139646520<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D139646520&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117850315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9iaOMx21pVHidvWbzDIhNrj2%2F1FYTb1FK3C2e5zRikA%3D&reserved=0> GTS Root R2 https://crt.sh/?q=8D25CD97229DBF70356BDA4EB3CC734031E24CF00FAFCFD32DC76EB5841C7EA8<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fq%3D8D25CD97229DBF70356BDA4EB3CC734031E24CF00FAFCFD32DC76EB5841C7EA8&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117860271%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EvXr3MYSjUsmusJKx2rPKjkJonQkOiVja9G%2FrRc%2FrAc%3D&reserved=0> Download – https://pki.goog/repo/certs/gtsr2.pem<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcerts%2Fgtsr2.pem&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117860271%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=f%2BiLi9DjyO%2FSkVxcd8w8G36SDiF%2BD%2Bz2eHZIaCs6Yqs%3D&reserved=0> Replaces https://crt.sh/?id=139646522<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D139646522&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117860271%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=35fXjcS75ablYVcHhwpm4CyB3Gk3NupMGq6n0b4U5Ck%3D&reserved=0> GTS Root R3 https://crt.sh/?q=34D8A73EE208D9BCDB0D956520934B4E40E69482596E8B6F73C8426B010A6F48<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fq%3D34D8A73EE208D9BCDB0D956520934B4E40E69482596E8B6F73C8426B010A6F48&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117870228%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Z3Gw9dTfLyrxhAef5pEn5IDG4srMRk5b%2Bvl8wbuzSBI%3D&reserved=0> Download – https://pki.goog/repo/certs/gtsr3.pem<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcerts%2Fgtsr3.pem&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117870228%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TKS8dqE0fGwbqeyx2pyMax98090YV3egBaWK6FL9eKg%3D&reserved=0> Replaces https://crt.sh/?id=139646519<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D139646519&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117880188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Nx%2Fu4K53bbsJc7aDZ0iKsvPd%2F7D%2FdJGXTRv7vg%2FwonU%3D&reserved=0> GTS Root R4 https://crt.sh/?q=349DFA4058C5E263123B398AE795573C4E1313C83FE68F93556CD5E8031B3C7D<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fq%3D349DFA4058C5E263123B398AE795573C4E1313C83FE68F93556CD5E8031B3C7D&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117880188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lCuMNtbuRKcGcSrQvWBxATwsKciljZ0b59y83I2B24k%3D&reserved=0> Download – https://pki.goog/repo/certs/gtsr4.pem<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcerts%2Fgtsr4.pem&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117880188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ug9kSBetkgKkcGZ9L0z6feVzQKtY5TUSXHLGGV3RbGU%3D&reserved=0> Replaces https://crt.sh/?id=139646525<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D139646525&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117890149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8NCVXXYGeQ3oySIEQrRPgiAMhyFRe8MUCYFYftNeEs0%3D&reserved=0> GlobalSign ECC Root CA - R4 https://crt.sh/?q=B085D70B964F191A73E4AF0D54AE7A0E07AAFDAF9B71DD0862138AB7325A24A2<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fq%3DB085D70B964F191A73E4AF0D54AE7A0E07AAFDAF9B71DD0862138AB7325A24A2&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117890149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0wHmr%2FUE1Q7pr3gN4kcER8cU2qxuXndjZJ819%2Fya%2BgM%3D&reserved=0> Download – https://pki.goog/repo/certs/gsr4.pem<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcerts%2Fgsr4.pem&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117890149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6JCX7s%2FNfBc%2F6eU7ilomGYE%2BahVoWol6LF2219y2wjk%3D&reserved=0> Replaces https://crt.sh/?id=8644166<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D8644166&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117900101%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GulICnf%2BYrv49U%2BUvc%2FX6BsTe2uxVUIGQF2wk3ZerdM%3D&reserved=0> CP/CPS: Current CPS is Version 4.0 / August 11, 2021 https://pki.goog/repo/cps/4.0/GTS-CPS.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2Frepo%2Fcps%2F4.0%2FGTS-CPS.pdf&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117900101%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4APcjvf%2BMwortgI7bWYvWa7zfCHHPESDCOMXBhu%2BC3k%3D&reserved=0> Repository location: https://pki.goog/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2F&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117910054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UVzG2hEbE3kiQZjzSu6mq67uzYU8M2mNGI6v8lafdiE%3D&reserved=0> Audits: GTS’s WebTrust auditor is Ernst & Young, and the most recent audit reports are dated November 2, 2020. These may be downloaded by clicking on the WebTrust seals on GTS’s repository page<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpki.goog%2F&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117910054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UVzG2hEbE3kiQZjzSu6mq67uzYU8M2mNGI6v8lafdiE%3D&reserved=0>. The WebTrust Baseline Requirements audit noted the following four incidents (closed): 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1630040<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1630040&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117910054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bYj1szCB6DFXBVk1TAM6aczq3XHyrhbBBp0Z5NRgH8Y%3D&reserved=0> (OCSP responder issue) 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=1652581<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1652581&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117920012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ac1hthqGAS795JJTOP7FJ9S4HpdtTwsgr7WegiLyOV4%3D&reserved=0> (digitalSignature KeyUsage not set – which gave rise to this inclusion request) 3 - https://bugzilla.mozilla.org/show_bug.cgi?id=1625498<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1625498&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117920012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1NsslPez9rZC3traFchF2ss87vDfPoJn%2Fa4w2DNNLRA%3D&reserved=0> (tracking possible audit delay) 4 - https://bugzilla.mozilla.org/show_bug.cgi?id=1667844<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1667844&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117920012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zFUZqKE2RM0KBJHwu25PloguZKuC0ujHZ0Olm9XfWoE%3D&reserved=0> (certificates not disclosed in CCADB) Other Incidents (Closed): 5 - https://bugzilla.mozilla.org/show_bug.cgi?id=1678183<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1678183&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117929976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jRUQyDaqLJYOWDKkoWvMWHkPMTCaYd9YJYxUfEP8%2FAg%3D&reserved=0> (invalid ASN.1 encoding in OCSP response) 6 - https://bugzilla.mozilla.org/show_bug.cgi?id=1706967<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1706967&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117929976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=T2QCB7AUEI3uPEFrjLOwbJzRJi%2Bf%2BU7v5dwkmDQP5OE%3D&reserved=0> (CPS stated outdated DV method from BR 3.2.2.4.10) 7 - https://bugzilla.mozilla.org/show_bug.cgi?id=1708516<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1708516&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117929976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=S7aqW26PASD6K0cjH3VqMFPNme%2FxHYE%2BppZqfynnNSw%3D&reserved=0> (delayed incident updates) 8 - https://bugzilla.mozilla.org/show_bug.cgi?id=1709223<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1709223&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117939926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4pB1xYXgKzOA0%2B%2B2fJquLdpvQ0fcjjset%2FN7dB9Lavs%3D&reserved=0> (SHA1 signing of GlobalSign Root CA - R2) 9 - https://bugzilla.mozilla.org/show_bug.cgi?id=1715421<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1715421&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117939926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=knNFrgXl5%2FzAhaqsM2wndsFqO7ycEYNmILmh%2FKfViPQ%3D&reserved=0> (delayed revocation of end entity certificate) Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 15-September-2021. A representative of GTS must promptly respond directly in the discussion thread to all questions that are posted. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ2d_si6PFNHgjkSzUEyYb9t4afJWQ6%2Bo%3DcUN%3DWmwmN3w%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaZ2d_si6PFNHgjkSzUEyYb9t4afJWQ6%252Bo%253DcUN%253DWmwmN3w%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crob%40sectigo.com%7C56071a6017d84d09d68d08d9680efee8%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637655237117949881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cgQVNJ1QjnM%2BmB%2FZVvxfaE1ys589d0YvdE8sZdO4Ivc%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299C8D4808AFF7DB0010F3AA689%40MW4PR17MB4729.namprd17.prod.outlook.com.
