Hi Ben, I strongly encourage Mozilla to not use a distrust after date with this CA and to distrust it outright, as was done with other untrustworthy CAs like Certinomis and Camerfirma. Since Firefox does not require CT, I would assume that any malicious backdated certificates will not be logged and therefore no one will detect them.
According to CT, ECM has only 43 unexpired TLS certificates in circulation, for a total of 84 distinct DNS names (see attached). (In contrast, Certinmois had 1,381 unexpired certificates at the time that they were removed - https://bugzilla.mozilla.org/show_bug.cgi?id=1552374) If we exclude ECM's own domains, this drops down to just 36 distinct DNS names. Therefore, the compatibility risk of distrusting ECM is practically nonexistent. If breaking these 36 sites is a concern, then I suggest name constraining the root to the 13 eTLD+1s which use ECM (also attached). ECM's incidents should give us very little faith in the adequacy of their controls. Continuing to trust their certificates on the basis of the notBefore date will only prolong the time during which Firefox users are at risk of security incidents involving ECM. Regards, Andrew On Tue, 11 Jun 2024 08:59:25 -0600 "'Ben Wilson' via [email protected]" <[email protected]> wrote: > All, > > We appreciate the comments received from the community on m-d-s-p and > in Bugzilla regarding several recent incidents involving e-commerce > monitoring GmbH (ECM). A summary of the most recent Bugzilla > incidents has been published on the Mozilla wiki, > https://wiki.mozilla.org/CA/e-commerce-monitoring_Issues. > > Public discussion and our review have highlighted long-running and > unresolved compliance issues with ECM, including but not limited to > (1) a failure to recognize, understand, and adhere to the compliance > obligations of a publicly trusted CA, (2) repeated failure to meet > the requirements for timely updates in line with incident reporting > requirements (i.e. > https://www.ccadb.org/cas/incident-report#incident-reports and > https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed), > and (3) inadequate responses, root cause analyses, and mitigations. > > Problems with ECM's operations and compliance began surfacing in > February 2023, with the mis-issuance of certificates reported in Bug > 1815534 <https://bugzilla.mozilla.org/show_bug.cgi?id=1815534> and > further detailed in Bug 1830536 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1830536>. This revealed > a substantial misunderstanding of root program requirements around > timely incident response and rectification, leading to a delayed > revocation incident (Bug 1862004 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1862004>). The overall > finalization of these incident reports took over a year, completing > in February 2024, due to both failures to include necessary > information and excessive delays in responses by ECM. > > These issues have intensified in recent months, with a mis-issuance > reported in Bug 1883711 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1883711>, which was then > revoked with the incorrect reason code. Numerous further issues > emerged in the incident response, including excessive delays in > responses, failure to disclosure a similarly mis-issued certificate > that was revoked but not mentioned in the subsequent incident report, > failure to promptly self-report the initial incident when the CA > became aware of it, and failure to identify suitable preventative > steps to address the root cause. This incident remains unresolved as > of this post, and it is unclear that sufficient preventative actions > have been taken by ECM. > > In Bug 1888371 <https://bugzilla.mozilla.org/show_bug.cgi?id=1888371> > reported on March 28, 2024, ECM was discovered to be serving > incorrectly signed CRLs, violating the CA/Browser Forum___s TLS > Baseline Requirements. Although ECM attempted an initial fix which > proved ineffective, ECM has now missed the target date they set for > themselves for a solution (May 31, 2024), meaning that their > revocation infrastructure for some of their certificates has been > unavailable for over 70 days, and ECM has not given any update on > their progress towards resolution for over 30 days. > > ECM's general failure to respond in line with incident reporting > requirements in a timely fashion is discussed further in Bug 1893546 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1893546>. > > Mozilla___s expectations for all CA operators participating in its root > store are clear: they must provide timely updates and effective > resolutions to incidents, they must ensure that root cause analyses > are thorough and promptly updated based on community feedback, and > they must maintain adequate staffing and resources. > > In light of ECM___s persistent issues, we will be setting ___Distrust > After___ dates for websites and email trust bits associated with ECM___s > GLOBALTRUST 2020 root CA, effective June 30, 2024. TLS server > authentication and S/MIME certificates issued before June 30, 2024, > will be unaffected by this change, but certificates issued after June > 30, 2024, will not be trusted. > > We want to clarify that although a separate assessment of ECM___s > continued inclusion in Mozilla___s Root Store was underway due to their > acquisition by AUSTRIA CARD, this decision to remove ECM is unrelated > to that ownership change and should not be considered a negative > finding against AUSTRIA CARD. Should AUSTRIA CARD or a related entity > seek inclusion in Mozilla___s Root Store in the future, that > application will be considered on its merits. > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program Manager > > -- > You received this message because you are subscribed to the Google > Groups "[email protected]" group. To unsubscribe from > this group and stop receiving emails from it, send an email to > [email protected]. To view this discussion > on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZMYjgxYAi72yPwcN3X_QJNqDUydpTyAuvmtBR9X80f1w%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240611131116.f8fbdd4c75d79543c7070cc9%40andrewayer.name.
lugas.tipwin.de merkur-sports.de lugassafe.merkur-sports.de www.merkur-sports.de bdenergy.dk nominations.bdenergy.dk nominations-test.bdenergy.dk www.bdenergy.dk ipsh.hys-enterprise.com snapconsult.com signature.snapconsult.com mail.snapconsult.com www.snapconsult.com *.globaltrust.info energylink.stadtbetriebe.at e-monitoring.at *.e-monitoring.at testrevoked-2020-server-qualified-ev-1.e-monitoring.at testok-2020-server-qualified-ev-1.e-monitoring.at testrevoked-2006-server-ov-1.e-monitoring.at testok-2006-server-ov-1.e-monitoring.at testrevoked-2015-server-qualified-ev-2.e-monitoring.at testok-2015-server-qualified-ev-2.e-monitoring.at www.e-monitoring.at e-rating.at *.e-rating.at mail.e-rating.at www.e-rating.at oberlaa-wien.at *.oberlaa-wien.at remote1.oberlaa-wien.at www.oberlaa-wien.at argedaten.at www2.argedaten.at secure.argedaten.at seminar.argedaten.at www.argedaten.at dgr.at *.dgr.at mail.dgr.at www.dgr.at a-cert.at *.a-cert.at www.a-cert.at o2c.post.at *.globaltrust.at zt-archiv.at test.zt-archiv.at www.zt-archiv.at moabox.at *.moabox.at www.moabox.at mail.37soft.net www.37soft.net globaltrust.eu *.globaltrust.eu ldap01.globaltrust.eu t2g02.globaltrust.eu ldap02.globaltrust.eu soap02.globaltrust.eu test02.globaltrust.eu ldap03.globaltrust.eu soap03.globaltrust.eu test03.globaltrust.eu ldap04.globaltrust.eu ldapold.globaltrust.eu rkscloud.globaltrust.eu service.globaltrust.eu secure.globaltrust.eu t2g.globaltrust.eu ldap.globaltrust.eu soap.globaltrust.eu timestamp.globaltrust.eu ftp.globaltrust.eu order.globaltrust.eu fruit.globaltrust.eu test.globaltrust.eu t2gtest.globaltrust.eu ldaptest.globaltrust.eu soaptest.globaltrust.eu ldapnew.globaltrust.eu t2gentw.globaltrust.eu www.globaltrust.eu
tipwin.de merkur-sports.de bdenergy.dk hys-enterprise.com snapconsult.com stadtbetriebe.at oberlaa-wien.at argedaten.at dgr.at o2c.post.at zt-archiv.at moabox.at 37soft.net
