On Tue, Apr 1, 2025 at 11:03 AM 'Ben Wilson' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > > Per - https://bugzilla.mozilla.org/show_bug.cgi?id=1891438#c15: > > "In the interest of transparency, Mozilla received a formal request from > Taiwan’s Ministry of Digital Affairs (MODA), dated March 15, 2025, requesting > that we delay the removal of the “websites” trust bit for Chunghwa Telecom’s > ePKI Root CA, which is currently scheduled to occur on or about April 15, > 2025, in accordance with Mozilla’s Root CA Lifecycles Transition Schedule. > > MODA explained that the requested delay is intended to support the ongoing > transition of government websites away from certificates issued by CHT’s > GTLSCA-G1 subordinate CA. As we understand it, MODA is already implementing a > short-term migration plan involving the dual issuance of approximately 12,000 > new certificates for government websites—one from Chunghwa Telecom and one > from Taiwan CA (TWCA)—to ensure continued availability of government services > and minimize user disruption. > > While we have not yet finalized a decision, we are currently contemplating: > > Postponing the removal of the “websites” trust bit; > Implementing a distrust-after date; or > Taking other actions consistent with Mozilla Root Store Policy and ecosystem > risk management. > > We note that: > > The ePKI Root CA uses a 4096-bit RSA key, which provides stronger security > than other similarly aged root certificates. > Any extension under consideration would be strictly time-bounded (e.g., not > to exceed August 1, 2025), reflecting a short-term accommodation, not a > change in long-term policy direction. > Mozilla would retain the right to remove or revoke trust at any time, based > on new information or evolving risk factors. > > We welcome feedback on any of these approaches."
Please consider avoiding the DistrustAfter strategy. It causes problems for tools which use Google, Mozilla (and friends) curated lists of trusted CAs. The tools include utilities like cURL and Wget. See, for example, <https://github.com/curl/curl/issues/15547>. Jeff -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8nNUb5Sp28ZExbr4AHVn9hq%3D0q71nDg2A2yqY8xZR0X%2BA%40mail.gmail.com.
