I just wanted to point out that e-commerce's communication is still very-very delayed: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546#c1, https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c9
I think e-commerce is getting into the territory where we should really consider if they're a healthy member of the Mozilla root store. *Does anyone have any arguments on why e-commerce shouldn't be fast tracked to removal from root stores?* I know in the future we probably need to define certain criteria on how to handle non-responsive CAs such as this. But I don't think we should wait until such a document is prepared before taking action. On Friday, May 3, 2024 at 9:12:19 AM UTC-4 Wayne wrote: > Hi Andrew, > > I was looking at https://globaltrust.eu/certificate-policy/ and the > 'GLOBALTRUST > 2015 SERVER OV 2' entry which includes a list of test servers. I can see > there is a different list of test servers listed higher on the page, and > 2020 functions correctly, but 2015 has the same issue (from the 'Testserver > SSL-Zertifikate' heading): > > GLOBALTRUST 2015 gültiges Zertifikat > https://testok-2015-server-qualified-1.e-monitoring.at > GLOBALTRUST 2015 abgelaufenes Zertifikat > https://testold-2015-server-qualified-1.e-monitoring.at > GLOBALTRUST 2015 widerrufenes Zertifikat > https://testrevoked-2015-server-qualified-1.e-monitoring.at > > This seems to have been an abandoned practice by globaltrust and the > entries are inconsistent on whether they have any listed. > > - Wayne > On Friday, May 3, 2024 at 1:59:59 PM UTC+1 Andrew Ayer wrote: > >> Hi Wayne, >> >> On Fri, 3 May 2024 04:29:15 -0700 (PDT) >> Wayne <rdau...@gmail.com> wrote: >> >> > They don't list valid/expired/revoked domains for all of their >> > sub-CAs >> >> CAs are only required to provide one set of test websites per root, not >> for every sub-CA. >> >> > and even the ones they do are running on the same wildcard >> > covering: >> > >> > DNS:timestamp.globaltrust.eu >> > DNS:*.globaltrust.eu >> > DNS:*.globaltrust.at >> > DNS:*.globaltrust.info >> > DNS:*.a-cert.at >> > DNS:*.e-monitoring.at >> > >> > See: https://crt.sh/?id=9532011580 >> >> Where are you seeing this disclosed as a test website certificate? The >> disclosures that I see in the CCADB for GLOBALTRUST's Mozilla-trusted >> root are: >> >> https://testok-2020-server-qualified-ev-1.e-monitoring.at/ >> https://testold-2020-server-qualified-ev-1.e-monitoring.at/ >> https://testrevoked-2020-server-qualified-ev-1.e-monitoring.at/ >> >> Those all look correct to me. >> >> Regards, >> Andrew >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d8b87251-a772-4777-8597-3918931fb7b3n%40mozilla.org.