All, We appreciate the comments received from the community on m-d-s-p and in Bugzilla regarding several recent incidents involving e-commerce monitoring GmbH (ECM). A summary of the most recent Bugzilla incidents has been published on the Mozilla wiki, https://wiki.mozilla.org/CA/e-commerce-monitoring_Issues.
Public discussion and our review have highlighted long-running and unresolved compliance issues with ECM, including but not limited to (1) a failure to recognize, understand, and adhere to the compliance obligations of a publicly trusted CA, (2) repeated failure to meet the requirements for timely updates in line with incident reporting requirements (i.e. https://www.ccadb.org/cas/incident-report#incident-reports and https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed), and (3) inadequate responses, root cause analyses, and mitigations. Problems with ECM's operations and compliance began surfacing in February 2023, with the mis-issuance of certificates reported in Bug 1815534 <https://bugzilla.mozilla.org/show_bug.cgi?id=1815534> and further detailed in Bug 1830536 <https://bugzilla.mozilla.org/show_bug.cgi?id=1830536>. This revealed a substantial misunderstanding of root program requirements around timely incident response and rectification, leading to a delayed revocation incident (Bug 1862004 <https://bugzilla.mozilla.org/show_bug.cgi?id=1862004>). The overall finalization of these incident reports took over a year, completing in February 2024, due to both failures to include necessary information and excessive delays in responses by ECM. These issues have intensified in recent months, with a mis-issuance reported in Bug 1883711 <https://bugzilla.mozilla.org/show_bug.cgi?id=1883711>, which was then revoked with the incorrect reason code. Numerous further issues emerged in the incident response, including excessive delays in responses, failure to disclosure a similarly mis-issued certificate that was revoked but not mentioned in the subsequent incident report, failure to promptly self-report the initial incident when the CA became aware of it, and failure to identify suitable preventative steps to address the root cause. This incident remains unresolved as of this post, and it is unclear that sufficient preventative actions have been taken by ECM. In Bug 1888371 <https://bugzilla.mozilla.org/show_bug.cgi?id=1888371> reported on March 28, 2024, ECM was discovered to be serving incorrectly signed CRLs, violating the CA/Browser Forum’s TLS Baseline Requirements. Although ECM attempted an initial fix which proved ineffective, ECM has now missed the target date they set for themselves for a solution (May 31, 2024), meaning that their revocation infrastructure for some of their certificates has been unavailable for over 70 days, and ECM has not given any update on their progress towards resolution for over 30 days. ECM's general failure to respond in line with incident reporting requirements in a timely fashion is discussed further in Bug 1893546 <https://bugzilla.mozilla.org/show_bug.cgi?id=1893546>. Mozilla’s expectations for all CA operators participating in its root store are clear: they must provide timely updates and effective resolutions to incidents, they must ensure that root cause analyses are thorough and promptly updated based on community feedback, and they must maintain adequate staffing and resources. In light of ECM’s persistent issues, we will be setting “Distrust After” dates for websites and email trust bits associated with ECM’s GLOBALTRUST 2020 root CA, effective June 30, 2024. TLS server authentication and S/MIME certificates issued before June 30, 2024, will be unaffected by this change, but certificates issued after June 30, 2024, will not be trusted. We want to clarify that although a separate assessment of ECM’s continued inclusion in Mozilla’s Root Store was underway due to their acquisition by AUSTRIA CARD, this decision to remove ECM is unrelated to that ownership change and should not be considered a negative finding against AUSTRIA CARD. Should AUSTRIA CARD or a related entity seek inclusion in Mozilla’s Root Store in the future, that application will be considered on its merits. Sincerely yours, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZMYjgxYAi72yPwcN3X_QJNqDUydpTyAuvmtBR9X80f1w%40mail.gmail.com.
