I happened to note that DigiCert has, once again, a set of incomplete disclosures - https://crt.sh/mozilla-disclosures#disclosureincomplete
This has happened in the past - [1] [2] [3], with a more fuller history of previous incidents in [4]. DigiCert folks: Could you comment and explain? [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1499585 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1451950 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1650910 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1650910#c30 On Wed, Mar 9, 2022 at 5:51 PM Ben Wilson <[email protected]> wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps > 4 through 9) for DigiCert’s inclusion request (Bug # 1706228 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1706228>, CCADB Case # 743 > <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000743>) > for the following root CA certificates: > > *DigiCert TLS RSA4096 Root G5 (websites trust bit, EV)* > > Download – https://cacerts.digicert.com/DigiCertRSA4096RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=371A00DC0533B3721A7EEB40E8419E70799D2B0A0F2C1D80693165F7CEC4AD75 > > *DigiCert TLS ECC P384 Root G5 (websites trust bit, EV)* > > Download – https://cacerts.digicert.com/DigiCertECCP384RootG5.crt.pem > > crt.sh – > https://crt.sh/?SHA256=018E13F0772532CF809BD1B17281867283FC48C6E13BE9C69812854A490C1B05 > > *DigiCert SMIME RSA4096 Root G5 (email trust bit)* > > Download – https://cacerts.digicert.com/DigiCertSMIMERSA4096RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=90370D3EFA88BF58C30105BA25104A358460A7FA52DFC2011DF233A0F417912A > > *DigiCert SMIME ECC P384 Root G5 (email trust bit)* > > Download – https://cacerts.digicert.com/DigiCertSMIMEECCP384RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=E8E8176536A60CC2C4E10187C3BEFCA20EF263497018F566D5BEA0F94D0C111B > > Mozilla is considering approving DigiCert’s request to add these four (4) > roots as trust anchors with the trust bits and EV-enabled as indicated > above. > > *Repository:* The DigiCert document repository is located here: > https://www.digicert.com/legal-repository > > *Relevant Policy and Practices Documentation: * > > Certificate Policy, v. 5.9, dated January 21, 2022 > > > https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cp-v5-9.pdf > > Certification Practices Statement, v. 5.9, dated January 21, 2022 > > > https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cps-v5-9.pdf > > *Self-Assessments and Mozilla CPS Reviews* are located as attachments in Bug > # 1706228 <https://bugzilla.mozilla.org/show_bug.cgi?id=1706228>: > > Mozilla Review of DigiCert CP/CPS and Compliance Self-Assessment > <https://bugzilla.mozilla.org/attachment.cgi?id=9252944> (xls) > > DigiCert Replies to CP/CPS Review and Compliance Self-Assessment > <https://bugzilla.mozilla.org/attachment.cgi?id=9261770> (xls) > > > > *Audits:* Annual audits have been performed by BDO. The most recent > audits were completed for the period ending September 30, 2021. See > https://www.digicert.com/webtrust-audits. > > *Incidents* > > DigiCert has no open incidents in Bugzilla. In the past year, there have > been five incidents involving DigiCert, which are now closed satisfactorily: > > 1727963 <https://bugzilla.mozilla.org/show_bug.cgi?id=1727963> > > DigiCert: Truncation of Registration Number > <https://bugzilla.mozilla.org/show_bug.cgi?id=1727963> > > 1744795 <https://bugzilla.mozilla.org/show_bug.cgi?id=1744795> > > DigiCert: Issuance of certs with weak keys (ROCA) > <https://bugzilla.mozilla.org/show_bug.cgi?id=1744795> > > 1710444 <https://bugzilla.mozilla.org/show_bug.cgi?id=1710444> > > DigiCert: Invalid stateOrProvinceName > <https://bugzilla.mozilla.org/show_bug.cgi?id=1710444> > > 1710856 <https://bugzilla.mozilla.org/show_bug.cgi?id=1710856> > > DigiCert: Invalid localityName > <https://bugzilla.mozilla.org/show_bug.cgi?id=1710856> > > 1714439 <https://bugzilla.mozilla.org/show_bug.cgi?id=1714439> > > DigiCert: Incorrect RegNumber-Org Type combination > <https://bugzilla.mozilla.org/show_bug.cgi?id=1714439> > > > > I have no further questions or concerns about DigiCert’s inclusion > request; however, I urge anyone with concerns or questions to raise them on > this list by replying directly in this discussion thread. Likewise, a > representative of DigiCert must promptly respond directly in the discussion > thread to all questions that are posted. > > This email begins the 3-week comment period, which I’m scheduling to close > on or about March 31, 2022, after which, if no concerns are raised, we will > close the discussion and the request may proceed to the approval phase > (Step 10). > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program Manager > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYXwMGTf4kxr7KhWr5fWd-aiJss4S0rjOz6F4-3wfFGEA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYXwMGTf4kxr7KhWr5fWd-aiJss4S0rjOz6F4-3wfFGEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHG9YxHBGf9ERxvf%3D3z3ZtfQi8%3DB2JgdAnZZwhmCsZ%3D%3DVg%40mail.gmail.com.
