All, We want to thank everyone involved, collectively, for participating in this public discussion. Considering multiple perspectives is valuable, and we always want to ensure we have a correct understanding of the details.
We want to emphasize Google includes or removes CA certificates within the Chrome Root Store as it deems appropriate for user safety. The selection and ongoing inclusion of CA certificates is done to enhance the security of Chrome and promote interoperability. We considered this event to be an incident, as the originating activity identified potential impact to the CA’s integrity, trustworthiness, or compatibility. In evaluating incidents, Chrome uses the information in the public disclosure as the basis for evaluation. We always expect CA owners to be detailed, candid, timely, and transparent in describing their architecture, implementation, operations, and external dependencies as necessary for the Chrome Root Program and the public to evaluate the nature of the incident and the CA owner’s response. The public discussion that ensued raised valid and direct questions, applicable to publicly-trusted root CA certificates. However, the discussion did not demonstrate why continued trust is justified given the concerns raised and the risk to user safety. Behavior that attempts to degrade or subvert security and privacy on the web is incompatible with organizations whose CA certificates are included in the Chrome Root Store. Due to a loss of confidence in its ability to uphold these fundamental principles and to protect and safeguard Chrome’s users, certificates issued by TrustCor Systems will no longer be recognized as trusted by: - Chrome versions 111 (landing in Beta approximately February 9, 2023 and Stable approximately March 7, 2023) and greater; and - Older versions of Chrome capable of receiving Component Updates <https://chromium.googlesource.com/chromium/src/+/lkgr/components/component_updater/README.md> after Chrome 111’s Stable release date. With these changes incorporated, users attempting to access a website that directly or transitively chains to one of the affected certificates below will find that it is not considered secure. Affected Certificates (SHA-256 fingerprint): - d40e9c86cd8fe468c1776959f49ea774fa548684b6c406f3909261f4dce2575c <https://crt.sh/?q=d40e9c86cd8fe468c1776959f49ea774fa548684b6c406f3909261f4dce2575c> - 0753e940378c1bd5e3836e395daea5cb839e5046f1bd0eae1951cf10fec7c965 <https://crt.sh/?q=0753e940378c1bd5e3836e395daea5cb839e5046f1bd0eae1951cf10fec7c965> - 5a885db19c01d912c5759388938cafbbdf031ab2d48e91ee15589b42971d039c <https://crt.sh/?q=5a885db19c01d912c5759388938cafbbdf031ab2d48e91ee15589b42971d039c> These changes will be implemented via our existing mechanisms to respond to CA incidents via: - An integrated certificate blocklist, and - Removal of certificates included in the Chrome Root Store. Beginning approximately February 9, 2023, website operators can preview these changes in Chrome 111 Beta. Website operators will also be able to preview the change sooner, using our Dev and Canary channels, while the majority of users will not encounter issues until the release of Chrome 111 to the Stable channel, approximately March 7, 2023. We may take further action, or accelerate the timeline described above, as additional information becomes available to us. These changes will be integrated into the Chromium open-source project as part of a default build. Questions about the expected behavior in specific Chromium-based browsers should be directed to their maintainers. These changes will be incorporated as part of the regular Chrome release process to ensure sufficient time for testing and replacing affected certificates by website operators. Information about timetables and milestones is available at https://chromiumdash.appspot.com/schedule. Thank you - Chris, on behalf of the Chrome Root Program On Wed, Nov 30, 2022 at 9:23 PM 'Dustin Hollenback' via [email protected] <[email protected]> wrote: > Hello, > > I do not represent the Microsoft Trusted Root Program, but did pass along > the message to the appropriate team. > > Regards, > > > Dustin > > ------------------------------ > *From:* 'Kurt Seifried' via [email protected] < > [email protected]> > *Sent:* Wednesday, November 30, 2022 4:15:26 PM > *To:* Rachel McPherson <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* [EXTERNAL] Re: concerns about Trustcor > > > > On Wed, Nov 30, 2022 at 6:24 PM Rachel McPherson <[email protected]> > wrote: > > All, > > While we are incredibly disappointed with this decision, we are not going > to waste anyone's time with a response to the removal right now. > > From a practical standpoint, Microsoft seems to have set the distrust date > for TrustCor's roots to November 1, 2022 instead of November 30, 2022, > which impacts over 1,200 customers who reasonably acquired a TLS > certificate from TrustCor between November 1 and November 30. While > immaterial to us in this group of readers and vendors, the distinction is > important to these customers. > > Microsoft gave us no advance notice of this decision and we have reached > out to Microsoft directly ourselves, but in this public forum if > any Microsoft employees can make this change to reasonably mirror Mozilla's > decision, it would make a difference to these people. > > > I'm curious, what thought process leads you to believe that Microsoft is > answerable to you? Can you please explain your reasoning here? > > > > > Thank you, > > Rachel > > -- > Kurt Seifried (He/Him) > [email protected] > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38co%3DED5OETW9dvAn4N8HDWG6znQ%3D%3D6_BAxnA7%3DygTkUA%40mail.gmail.com > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCABqVa38co%253DED5OETW9dvAn4N8HDWG6znQ%253D%253D6_BAxnA7%253DygTkUA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cdustin.hollenback%40microsoft.com%7C5d74ce589c054c4d322b08dad3420178%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638054577705624829%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4fxy5Ebc8inOvWaS9d3aoB7IvAw9jiO%2BOYbvwNk03Qw%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PH0PR00MB1134FCD34D4F0A43E8322A05F9149%40PH0PR00MB1134.namprd00.prod.outlook.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PH0PR00MB1134FCD34D4F0A43E8322A05F9149%40PH0PR00MB1134.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAbw9mCPnS4H%2BNjbSF4498BN-cija0Gc5C2s5uMX8URChm78pA%40mail.gmail.com.
