Hi David, We are currently not using CT, but we will keep a close eye on any reports of backdating based on discrepancies between SCTs and notBefore dates. Our long-term plan is to enhance our validity checking with CT. Thanks, Ben
On Tue, Jun 11, 2024 at 9:02 AM David Adrian <[email protected]> wrote: > > In light of ECM’s persistent issues, we will be setting “Distrust > After” dates for websites and email trust bits associated with ECM’s > GLOBALTRUST 2020 root CA, effective June 30, 2024. > > Hi Ben, > > Will this be enforced solely based on NotBefore? Or will SCT timestamps be > taken into account. If solely based on NotBefore, are you monitoring for > backdated certificates in any way? > > Thanks, > > -dadrian > > On Tue, Jun 11, 2024 at 10:59 AM 'Ben Wilson' via > [email protected] <[email protected]> wrote: > >> All, >> >> We appreciate the comments received from the community on m-d-s-p and in >> Bugzilla regarding several recent incidents involving e-commerce monitoring >> GmbH (ECM). A summary of the most recent Bugzilla incidents has been >> published on the Mozilla wiki, >> https://wiki.mozilla.org/CA/e-commerce-monitoring_Issues. >> >> Public discussion and our review have highlighted long-running and >> unresolved compliance issues with ECM, including but not limited to (1) a >> failure to recognize, understand, and adhere to the compliance obligations >> of a publicly trusted CA, (2) repeated failure to meet the requirements for >> timely updates in line with incident reporting requirements (i.e. >> https://www.ccadb.org/cas/incident-report#incident-reports and >> https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed), >> and (3) inadequate responses, root cause analyses, and mitigations. >> >> Problems with ECM's operations and compliance began surfacing in February >> 2023, with the mis-issuance of certificates reported in Bug 1815534 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1815534> and further >> detailed in Bug 1830536 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1830536>. This revealed a >> substantial misunderstanding of root program requirements around timely >> incident response and rectification, leading to a delayed revocation >> incident (Bug 1862004 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1862004>). The overall >> finalization of these incident reports took over a year, completing in >> February 2024, due to both failures to include necessary information and >> excessive delays in responses by ECM. >> >> These issues have intensified in recent months, with a mis-issuance >> reported in Bug 1883711 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1883711>, which was then >> revoked with the incorrect reason code. Numerous further issues emerged in >> the incident response, including excessive delays in responses, failure to >> disclosure a similarly mis-issued certificate that was revoked but not >> mentioned in the subsequent incident report, failure to promptly >> self-report the initial incident when the CA became aware of it, and >> failure to identify suitable preventative steps to address the root cause. >> This incident remains unresolved as of this post, and it is unclear that >> sufficient preventative actions have been taken by ECM. >> >> In Bug 1888371 <https://bugzilla.mozilla.org/show_bug.cgi?id=1888371> >> reported on March 28, 2024, ECM was discovered to be serving incorrectly >> signed CRLs, violating the CA/Browser Forum’s TLS Baseline Requirements. >> Although ECM attempted an initial fix which proved ineffective, ECM has now >> missed the target date they set for themselves for a solution (May 31, >> 2024), meaning that their revocation infrastructure for some of their >> certificates has been unavailable for over 70 days, and ECM has not given >> any update on their progress towards resolution for over 30 days. >> >> ECM's general failure to respond in line with incident reporting >> requirements in a timely fashion is discussed further in Bug 1893546 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1893546>. >> >> Mozilla’s expectations for all CA operators participating in its root >> store are clear: they must provide timely updates and effective resolutions >> to incidents, they must ensure that root cause analyses are thorough and >> promptly updated based on community feedback, and they must maintain >> adequate staffing and resources. >> >> In light of ECM’s persistent issues, we will be setting “Distrust After” >> dates for websites and email trust bits associated with ECM’s GLOBALTRUST >> 2020 root CA, effective June 30, 2024. TLS server authentication and S/MIME >> certificates issued before June 30, 2024, will be unaffected by this >> change, but certificates issued after June 30, 2024, will not be trusted. >> >> We want to clarify that although a separate assessment of ECM’s continued >> inclusion in Mozilla’s Root Store was underway due to their acquisition by >> AUSTRIA CARD, this decision to remove ECM is unrelated to that ownership >> change and should not be considered a negative finding against AUSTRIA >> CARD. Should AUSTRIA CARD or a related entity seek inclusion in Mozilla’s >> Root Store in the future, that application will be considered on its >> merits. >> >> Sincerely yours, >> >> Ben Wilson >> >> Mozilla Root Program Manager >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZMYjgxYAi72yPwcN3X_QJNqDUydpTyAuvmtBR9X80f1w%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZMYjgxYAi72yPwcN3X_QJNqDUydpTyAuvmtBR9X80f1w%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuB2wQdYYY8mbFwqe9bbx0dJyZBfvZaMZwF-uK2NEaNg%40mail.gmail.com.
