Hi Amir, Although we are dedicated to complying with the BRs, unfortunately, incidents of BR violations have still occurred. I believe this community understands that incidents can happen with any CA, but what truly matters is the CA's attitude towards addressing the problems and working to resolve their root causes. Over the past three months, we have made every effort to disclose these incidents with maximum transparency and promptness. We have followed Mozilla and CCADB requirements in writing incident reports and have responded to community questions in a timely manner. Additionally, we have conducted thorough internal reviews and implemented numerous technical and administrative preventive measures. Although the process may not have been perfect, I believe we have not ignored the existence of the BRs.
Regarding your concern about CPS section 4.9.2, according to your example, if the domain owner and the subscriber are different individuals, our CPS states, "If anyone other than the above-mentioned persons suspects that the certificate key has been compromised or other security matters,..." You still have the right to request revocation. In [comment 26 of Bug 1886110](https://bugzilla.mozilla.org/show_bug.cgi?id=1886110#c26), we have detailed the timeline for certificate status publication. We also understand that according to BR 4.9.5, the time frame for the revocation process is considered complete only when it is published. In the future, when encountering similar urgent situations, we will activate the forced publication feature rather than relying on scheduled routine operations. Thank you for your feedback. Hao-Chun Li TWCA 2024年6月5日水曜日 7:31:15 UTC+8 Amir Omidi (aaomidi): > TWCA has a couple of incidents open for revocation delays. I think until > this CA can show that it can follow its own CP/CPS and BRs, new trust > anchors from that CA should not be accepted into the Mozilla Trust Store. > Beyond that looking at the document linked here: > https://www.twca.com.tw/upload/saveArea/filePage/20240313/05926332a5cb42bbb70bc7a0c841dff4/05926332a5cb42bbb70bc7a0c841dff4.pdf > > in section 4.9.2, they seem to not actually include non-subscribers as > entities that can request revocation. For example, if some subscriber > manages to issue a certificate for a domain I own, and I decide to get that > revoked, under this document it doesn't seem like I have the authority to > do that. > > My objection is that while the CA is showing that they're comfortable > ignoring the BRs, they should not be permitted to have additional roots > join the trust store. Specifically, on this incident: > https://bugzilla.mozilla.org/show_bug.cgi?id=1886110 0 they didn't even > understand what revocation actually entails. > > I'll go even further that Mozilla should consider a motion of distrust on > this CA rather than extending trust to them even further than it already > has - but that is a discussion for another thread. > On Tuesday, June 4, 2024 at 6:41:06 PM UTC Ben Wilson wrote: > >> Greetings, >> >> Public discussion regarding inclusion of the TWCA CYBER Root CA (websites >> trust bit with EV) and the TWCA Global Root CA G2 (email trust bit) >> began on the CCADB Public List on April 22, 2024 ( >> https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/vqn7iTHEAwAJ) >> and concluded recently ( >> https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/eapyrQcjBgAJ >> ). >> >> >> >> Additional details concerning this request may be found in the >> above-referenced discussions, in Bugzilla #1849702 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1849702>, and in CCADB >> Case Number *00001244 >> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001244>* >> . >> >> >> The inclusion process is outlined here: >> https://wiki.mozilla.org/CA/Application_Process#Process_Overview. >> Additional information about application review may be found here: >> https://wiki.mozilla.org/CA/Application_Verification. >> >> >> This is Mozilla's notice of intent to approve Taiwan CA’s root inclusion >> request. >> >> >> >> This begins a 7-day “last call” period for any final objections. >> >> Thanks, >> >> Ben >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a59e8b01-002b-48d2-8ac7-068cd61903dfn%40mozilla.org.
