Probably should split this off to its own thread, but I'm also of the opinion that these various methods for submitting CPRs are also nearly impossible to audit. For example, Google Trust Services maintains a contact form at https://pki.goog/contact/. Even though this contact form is significantly better than uploading a PDF, I still think it removes a lot of auditability on the behalf of the sender, and transparency in process.
Beyond that, nearly all of these "form" based solutions also transparently force you to agree to "Privacy & Terms" for using that form. When I'm reporting a problem I don't want to be getting into a weird legal agreement with a CA. That's silly, and adds friction in my ability to report a problem. IMO CAs should be required to keep at least an email endpoint available for CPRs. I understand that spam can get through, but setup your email servers in such a way that it fails emails that don't pass SPF/DKIM checks - that should cut down on spam considerably. On Saturday, October 5, 2024 at 1:44:38 PM UTC-4 Mike Shaver wrote: > Yeah, this raises a point that I think should perhaps be explicit in the > BRs: how onerous is a CA allowed to make the CPR process, and do they have > a responsibility to respond to CPRs submitted in other “generally > acceptable” ways? If they become aware of an issue with certificates > through other means, should they treat it equally in terms of incident > response? For example, if a CA was validating CAA records in ways that > contradicted the language of their CPS, and was informed of this through > informal back-channels, should they still open an incident report for the > benefit of the community? > > Put another way: should the CPR process be optimized for the ease of the > CA, or the ease of the reporter (who acts IMO on behalf of relying parties)? > > My opinion on this is probably not hard to guess. > > Mike > > On Sat, Oct 5, 2024 at 1:32 PM 'George' via CCADB Public <pub...@ccadb.org> > wrote: > >> Hi Enrico, >> >> If someone reported a certificate problem to the relevant email address >> without also including the PDF form, would D-Trust still investigate the >> issue? >> >> I don't see how the PDF provides much more value than other CAs who >> simply provide an email address on its own. >> >> Thanks, George. >> >> >> >> On Sat, Oct 5, 2024 at 17:44, 'Entschew, Enrico' via CCADB Public < >> pub...@ccadb.org> wrote: >> >> Hi Amir, >> >> >> >> Leyla is on sick leave. Therefore I’ll take over for her. >> >> >> >> We understand that the current CPR process is not convenient but it >> fulfills all requirements and worked so far as needed. >> >> >> >> We are in the process of creating an improved version of the CPR process >> which will be introduced as a web form by the end of the year. >> >> >> >> Thanks, >> >> Enrico >> >> >> >> ------------------------------ >> *Von:* 'Amir Omidi' via CCADB Public <pub...@ccadb.org> >> *Gesendet:* Samstag, 5. Oktober 2024 01:27 >> *An:* Sahin, Leyla (D-Trust) <l.s...@d-trust.net> >> *Cc:* public <pub...@ccadb.org>; Ryan Dickson <ryand...@google.com> >> *Betreff:* Re: Public Discussion of D-Trust TLS CA Inclusion Request >> >> So, it’s been definitely more than a week. >> >> Not remembering your public commitments does not inspire confidence. I >> think if you’re having these types of mistakes this early on, root programs >> should not welcome you into their trust stores. >> >> On Fri, Sep 13, 2024 at 06:16 Sahin, Leyla < l.s...@d-trust.net> wrote: >> >> Dear Amir, >> >> >> >> Thank you for your comment. We will review this and come back to you by >> the end of next week. >> >> >> >> Greetings, >> >> Leyla >> >> >> >> *Von:* 'Amir Omidi' via CCADB Public <pub...@ccadb.org> >> *Gesendet:* Donnerstag, 12. September 2024 16:17 >> *An:* Ryan Dickson <ryand...@google.com> >> *Cc:* public <pub...@ccadb.org> >> *Betreff:* Re: Public Discussion of D-Trust TLS CA Inclusion Request >> >> >> >> The CPR process ( >> >> https://www.d-trust.net/en/support/reporting-certificate-problem) seems >> quite annoying. Downloading and editing a PDF just to send a CPR is a bit >> too much. >> >> >> >> On Thu, Sep 12, 2024 at 09:15 'Ryan Dickson' via CCADB Public < >> pub...@ccadb.org> wrote: >> >> All, >> >> >> >> This email commences a six-week public discussion of D-Trust’s request to >> include the following certificates as publicly trusted root certificates in >> one or more CCADB Root Store Member’s program. This discussion period is >> scheduled to close on October 24, 2024. >> >> >> >> The purpose of this public discussion process is to promote openness and >> transparency. However, each Root Store makes its inclusion decisions >> independently, on its own timelines, and based on its own inclusion >> criteria. Successful completion of this public discussion process does not >> guarantee any favorable action by any root store. >> >> >> >> Anyone with concerns or questions is urged to raise them on this CCADB >> Public list by replying directly in this discussion thread. Likewise, a >> representative of the applicant must promptly respond directly in the >> discussion thread to all questions that are posted. >> >> *CCADB Case Number: *00001362 >> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001362> >> >> and 00001363 >> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001363> >> >> *Organization Background Information (listed in the CCADB):* >> >> · *CA Owner Name:* D-Trust >> >> · *Website: *https://www.d-trust.net/en >> >> · *Address: *Kommandantenstr. 15, Berlin, 10969, Germany >> <https://www.google.com/maps/search/Kommandantenstr.+15,+Berlin,+10969,+Germany?entry=gmail&source=g> >> >> · *Problem Reporting Mechanisms: * >> https://www.d-trust.net/en/support/reporting-certificate-problem >> >> · *Organization Type: *Government Agency >> >> · *Repository URL: *https://www.bundesdruckerei.de/en/Repository >> >> *Certificates Requesting Inclusion:* >> >> >> >> *1. **D-TRUST EV Root CA 2 2023:* >> >> o *Certificate download links:* CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_2_2023.crt> / crt.sh >> <https://crt.sh/?q=8E8221B2E7D4007836A1672F0DCC299C33BC07D316F132FA1A206D587150F1CE> >> >> o *Use cases served/EKUs:* >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Test websites:* >> >> § Valid: https://certdemo-ev-valid-rsa.tls.d-trust.net/ >> >> § Revoked: https://certdemo-ev-revoked-rsa.tls.d-trust.net/ >> >> § Expired: https://certdemo-ev-expired-rsa.tls.d-trust.net/ >> >> o *Replacement notice:* D-Trust has communicated intent to use this >> applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 >> <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> >> >> in some root stores, with the replacement taking place approximately on >> September 1, 2026. >> >> >> >> *2. **D-TRUST BR Root CA 2 2023:* >> >> o *Certificate download links:* CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_2_2023.crt> / crt.sh >> <https://crt.sh/?q=0552E6F83FDF65E8FA9670E666DF28A4E21340B510CBE52566F97C4FB94B2BD1> >> >> o *Use cases served/EKUs:* >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Test websites:* >> >> § Valid: https://certdemo-dv-valid-rsa.tls.d-trust.net/ >> >> § Revoked: https://certdemo-dv-revoked-rsa.tls.d-trust.net/ >> >> § Expired: https://certdemo-dv-expired-rsa.tls.d-trust.net/ >> >> o *Replacement notice:* D-Trust has communicated intent to use this >> applicant root to replace D-TRUST Root Class 3 CA 2 2009 >> <https://crt.sh/?q=49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1> >> >> in some root stores, with the replacement taking place approximately on >> September 1, 2026. >> >> >> >> *Existing Publicly Trusted Root CAs from D-Trust:* >> >> *1. **D-TRUST BR Root CA 1 2020:* >> >> o *Certificate download links:* (CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt> /crt.sh >> <https://crt.sh/?q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044> >> ) >> >> o *Use cases served/EKUs:* >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Certificate corpus:* here >> <https://search.censys.io/search?resource=certificates&q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044%09+and+labels%3Dever-trusted> >> >> (Censys login required) >> >> o *Included in:* Google Chrome, Mozilla >> >> *2. **D-Trust SBR Root CA 1 2022:* >> >> o *Certificate download links:* (CA Repository >> <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_1_2022.crt> / crt.sh >> <https://crt.sh/?q=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2> >> ) >> >> o *Use cases served/EKUs: * >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2; >> >> § Document Signing AATL 1.2.840.113583.1.1.5; >> >> § Document Signing MS 1.3.6.1.4.1.311.10.3.12 >> >> o *Certificate corpus:* N/A >> >> o *Included in:* Mozilla >> >> *3. **D-Trust SBR Root CA 2 2022:* >> >> o *Certificate download links:* (CA Repository >> <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_2_2022.crt> / crt.sh >> <https://crt.sh/?q=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC> >> ) >> >> o *Use cases served/EKUs:* >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2; >> >> § Document Signing AATL 1.2.840.113583.1.1.5; >> >> § Document Signing MS 1.3.6.1.4.1.311.10.3.12 >> >> o *Certificate corpus:* N/A >> >> o *Included in: *Mozilla >> >> *4. **D-TRUST EV Root CA 1 2020:* >> >> o *Certificate download links:* (CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt> / crt.sh >> <https://crt.sh/?q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB> >> ) >> >> o *Use cases served/EKUs: * >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Certificate corpus:* here >> <https://search.censys.io/search?resource=certificates&q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB+and+labels%3Dever-trusted> >> >> (Censys login required) >> >> o *Included in:* Google Chrome, Mozilla >> >> >> >> *5. **D-TRUST Root CA 3 2013:* >> >> o *Certificate download links:* (CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_3_2013.crt> / crt.sh >> <https://crt.sh/?q=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457> >> ) >> >> o *Use cases served/EKUs: * >> >> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2; >> >> § Document Signing AATL 1.2.840.113583.1.1.5; >> >> § Document Signing MS 1.3.6.1.4.1.311.10.3.12 >> >> o *Certificate corpus:* N/A >> >> o *Included in: *Apple, Microsoft, Mozilla >> >> >> >> *6. **D-TRUST Root Class 3 CA 2 2009:* >> >> o *Certificate download links:* (CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt> / >> crt.sh >> <https://crt.sh/?q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1> >> ) >> >> o *Use cases served/EKUs: * >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Certificate corpus:* here >> <https://search.censys.io/search?resource=certificates&q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1+and+labels%3Dever-trusted> >> >> (Censys login required) >> >> o *Included in:* Apple, Google Chrome, Microsoft, Mozilla >> >> >> >> *7. **D-TRUST Root Class 3 CA 2 EV 2009:* >> >> o *Certificate download links:* (CA Repository >> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_EV_2009.crt> >> / crt.sh >> <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> >> ) >> >> o *Use cases served/EKUs: * >> >> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >> >> § Client Authentication 1.3.6.1.5.5.7.3.2 >> >> o *Certificate corpus:* here >> <https://search.censys.io/search?resource=certificates&q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881+and+labels%3Dever-trusted> >> >> (Censys login required) >> >> o *Included in:* Apple, Google Chrome, Microsoft, Mozilla >> >> >> >> *Relevant Policy and Practices Documentation: * >> >> · *CP: *http://www.d-trust.net/internet/files/D-TRUST_CP.pdf >> >> · *CPS:* http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf >> >> · *TSPS:* https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf >> >> *Most Recent Self-Assessment:* >> >> · https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed >> 10/30/2023) >> >> *Audit Statements:* >> >> · *Auditor:* TÜViT - TÜV Informationstechnik GmbH >> >> · *Audit Criteria:* ETSI >> >> · >> >> -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to public+unsubscr...@ccadb.org. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/29d310b6-175e-411a-8634-914a5fb8da90n%40ccadb.org.
