CCAD policies are not the sole reference to how Mozilla acts or what conclusions we should draw as participants about the merits or demerits of inclusion.
I think it's very relevant and positive if a CA says "yes we like automation for shorter lines and have put forward ballots to improve this or that aspect" or "no we have some customers with very legacy technology but have done X,Y,Z to improve it". If I may be so bold the thrust of the questions was towards something like Entrust situations where a CA refused to revoke claiming one major browser was ok with it while Mozilla was not. Needless to say this is not an attitude calculated to endeer a CA towards Mozilla. On Sun, Oct 20, 2024, 11:17 AM Rufus Buschart <ru...@buschart.de> wrote: > Hello Mike, > > I find this discussion very interesting, and your questions are quite > thought-provoking. Could you help me understand where in the CCADB policies > it is stated that a hypothetical vote by a CA on a potential upcoming > ballot has any relevance to a Root Store inclusion request? Additionally, > do you have any evidence suggesting that D-Trust would not comply with such > a ballot if it were to pass, even if it voted against it? > > With best regards and written with my purely personal hat on > > Rufus > > What we do in life, echoes in eternity. > =========================================== > Rufus J.W. Buschart > Anna-Pirson-Weg 1c > <https://www.google.com/maps/search/Anna-Pirson-Weg+1c+91052+Erlangen?entry=gmail&source=g> > 91052 Erlangen > <https://www.google.com/maps/search/Anna-Pirson-Weg+1c+91052+Erlangen?entry=gmail&source=g> > Phone: +49 (0)9131 - 530 15 85 > Mobile: +49 (0)152 - 228 94 134 > Web: http://www.buschart.de > > > Am Sa., 19. Okt. 2024 um 15:31 Uhr schrieb Mike Shaver < > mike.sha...@gmail.com>: > >> As promised, here are my outstanding unanswered questions about D-Trust’s >> position on PKI-related matters: >> >> - does D-Trust hold the position that reduction of certificate duration >> by a root program is anti-competitive? >> >> - does D-Trust hold the position that reduction of certificate validity >> has negative impact on the security of the web PKI? >> >> - does D-Trust hold the position that browser market share is relevant to >> determining the validity or importance of root program positions on matters >> of web PKI policy? >> >> - does D-Trust hold the position that “roll-over” requests are or should >> be subject to less scrutiny than those of initial inclusion? >> >> I would appreciate D-Trust’s responsive replies to these questions, in >> the absence of cogent explanation for why these questions are not suitable >> as part of discussion of a root’s application for (continued) inclusion. I >> would also appreciate the perspective of other members of this community on >> the relevance of the questions, as I hold the position that they will be >> relevant to future inclusion discussions as well. >> >> Mike >> >> On Thu, Sep 12, 2024 at 9:15 AM 'Ryan Dickson' via CCADB Public < >> public@ccadb.org> wrote: >> >>> All, >>> >>> This email commences a six-week public discussion of D-Trust’s request >>> to include the following certificates as publicly trusted root certificates >>> in one or more CCADB Root Store Member’s program. This discussion period is >>> scheduled to close on October 24, 2024. >>> >>> The purpose of this public discussion process is to promote openness and >>> transparency. However, each Root Store makes its inclusion decisions >>> independently, on its own timelines, and based on its own inclusion >>> criteria. Successful completion of this public discussion process does not >>> guarantee any favorable action by any root store. >>> >>> Anyone with concerns or questions is urged to raise them on this CCADB >>> Public list by replying directly in this discussion thread. Likewise, a >>> representative of the applicant must promptly respond directly in the >>> discussion thread to all questions that are posted. >>> >>> CCADB Case Number: 00001362 >>> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001362> >>> and 00001363 >>> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001363> >>> >>> Organization Background Information (listed in the CCADB): >>> >>> - >>> >>> CA Owner Name: D-Trust >>> - >>> >>> Website: https://www.d-trust.net/en >>> - >>> >>> Address: Kommandantenstr. 15, Berlin, 10969, Germany >>> >>> <https://www.google.com/maps/search/Kommandantenstr.+15,+Berlin,+10969,+Germany?entry=gmail&source=g> >>> - >>> >>> Problem Reporting Mechanisms: >>> https://www.d-trust.net/en/support/reporting-certificate-problem >>> - >>> >>> Organization Type: Government Agency >>> - >>> >>> Repository URL: https://www.bundesdruckerei.de/en/Repository >>> >>> Certificates Requesting Inclusion: >>> >>> >>> 1. >>> >>> D-TRUST EV Root CA 2 2023: >>> >>> >>> - >>> >>> Certificate download links: CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_2_2023.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=8E8221B2E7D4007836A1672F0DCC299C33BC07D316F132FA1A206D587150F1CE> >>> - >>> >>> Use cases served/EKUs: >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> - >>> >>> Test websites: >>> - >>> >>> Valid: https://certdemo-ev-valid-rsa.tls.d-trust.net/ >>> - >>> >>> Revoked: https://certdemo-ev-revoked-rsa.tls.d-trust.net/ >>> - >>> >>> Expired: https://certdemo-ev-expired-rsa.tls.d-trust.net/ >>> - >>> >>> Replacement notice: D-Trust has communicated intent to use this >>> applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 >>> >>> <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> >>> in some root stores, with the replacement taking place approximately on >>> September 1, 2026. >>> >>> >>> >>> 2. >>> >>> D-TRUST BR Root CA 2 2023: >>> - >>> >>> Certificate download links: CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_2_2023.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=0552E6F83FDF65E8FA9670E666DF28A4E21340B510CBE52566F97C4FB94B2BD1> >>> - >>> >>> Use cases served/EKUs: >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> - >>> >>> Test websites: >>> - >>> >>> Valid: https://certdemo-dv-valid-rsa.tls.d-trust.net/ >>> - >>> >>> Revoked: https://certdemo-dv-revoked-rsa.tls.d-trust.net/ >>> - >>> >>> Expired: https://certdemo-dv-expired-rsa.tls.d-trust.net/ >>> - >>> >>> Replacement notice: D-Trust has communicated intent to use this >>> applicant root to replace D-TRUST Root Class 3 CA 2 2009 >>> >>> <https://crt.sh/?q=49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1> >>> in some root stores, with the replacement taking place approximately >>> on >>> September 1, 2026. >>> >>> >>> Existing Publicly Trusted Root CAs from D-Trust: >>> >>> 1. >>> >>> D-TRUST BR Root CA 1 2020: >>> - >>> >>> Certificate download links: (CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> >>> >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> >>> - >>> >>> Certificate corpus: here >>> >>> <https://search.censys.io/search?resource=certificates&q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044%09+and+labels%3Dever-trusted> >>> (Censys login required) >>> - >>> >>> Included in: Google Chrome, Mozilla >>> >>> >>> 2. >>> >>> D-Trust SBR Root CA 1 2022: >>> - >>> >>> Certificate download links: (CA Repository >>> <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_1_2022.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> - >>> >>> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2; >>> - >>> >>> Document Signing AATL 1.2.840.113583.1.1.5; >>> - >>> >>> Document Signing MS 1.3.6.1.4.1.311.10.3.12 >>> - >>> >>> Certificate corpus: N/A >>> - >>> >>> Included in: Mozilla >>> 3. >>> >>> D-Trust SBR Root CA 2 2022: >>> - >>> >>> Certificate download links: (CA Repository >>> <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_2_2022.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> - >>> >>> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2; >>> - >>> >>> Document Signing AATL 1.2.840.113583.1.1.5; >>> - >>> >>> Document Signing MS 1.3.6.1.4.1.311.10.3.12 >>> - >>> >>> Certificate corpus: N/A >>> - >>> >>> Included in: Mozilla >>> 4. >>> >>> D-TRUST EV Root CA 1 2020: >>> - >>> >>> Certificate download links: (CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> >>> >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> >>> - >>> >>> Certificate corpus: here >>> >>> <https://search.censys.io/search?resource=certificates&q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB+and+labels%3Dever-trusted> >>> (Censys login required) >>> - >>> >>> Included in: Google Chrome, Mozilla >>> >>> >>> >>> 5. >>> >>> D-TRUST Root CA 3 2013: >>> - >>> >>> Certificate download links: (CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_3_2013.crt> / >>> crt.sh >>> >>> <https://crt.sh/?q=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> >>> >>> - >>> >>> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2; >>> - >>> >>> Document Signing AATL 1.2.840.113583.1.1.5; >>> - >>> >>> Document Signing MS 1.3.6.1.4.1.311.10.3.12 >>> >>> >>> - >>> >>> Certificate corpus: N/A >>> - >>> >>> Included in: Apple, Microsoft, Mozilla >>> >>> >>> >>> 6. >>> >>> D-TRUST Root Class 3 CA 2 2009: >>> - >>> >>> Certificate download links: (CA Repository >>> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt> >>> / crt.sh >>> >>> <https://crt.sh/?q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> >>> >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> >>> - >>> >>> Certificate corpus: here >>> >>> <https://search.censys.io/search?resource=certificates&q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1+and+labels%3Dever-trusted> >>> (Censys login required) >>> - >>> >>> Included in: Apple, Google Chrome, Microsoft, Mozilla >>> >>> >>> >>> 7. >>> >>> D-TRUST Root Class 3 CA 2 EV 2009: >>> - >>> >>> Certificate download links: (CA Repository >>> >>> <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_EV_2009.crt> >>> / crt.sh >>> >>> <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> >>> ) >>> - >>> >>> Use cases served/EKUs: >>> >>> >>> - >>> >>> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >>> - >>> >>> Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> >>> - >>> >>> Certificate corpus: here >>> >>> <https://search.censys.io/search?resource=certificates&q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881+and+labels%3Dever-trusted> >>> (Censys login required) >>> - >>> >>> Included in: Apple, Google Chrome, Microsoft, Mozilla >>> >>> >>> Relevant Policy and Practices Documentation: >>> >>> - >>> >>> CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf >>> - >>> >>> CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf >>> - >>> >>> TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf >>> >>> Most Recent Self-Assessment: >>> >>> - >>> >>> https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed >>> 10/30/2023) >>> >>> Audit Statements: >>> >>> - >>> >>> Auditor: TÜViT - TÜV Informationstechnik GmbH >>> - >>> >>> Audit Criteria: ETSI >>> - >>> >>> Recent Audit Statement(s): >>> - >>> >>> Key Generation >>> >>> <https://www.tuev-nord.de/fileadmin/Content/TUEV_NORD_DE/zertifizierung/Zertifikate/en/AA2023062801_D-Trust_Root_Ceremony_2023-05_PIT_V2.0.pdf> >>> (May 9, 2023) >>> - >>> >>> Standard Audit >>> >>> <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_Standard_Audit_V1.0.pdf> >>> (Period: October 8, 2022 to October 7, 2023) >>> - >>> >>> TLS BR Audit >>> >>> <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-BR_Audit_V1.0.pdf> >>> (Period: October 8, 2022 to October 7, 2023) >>> - >>> >>> TLS EVG Audit >>> >>> <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-EV_Audit_V1.0.pdf> >>> (Period: October 8, 2022 to October 7, 2023) >>> >>> Incident Summary (Bugzilla incidents from previous 24 months): >>> >>> - >>> >>> 1682270 <https://bugzilla.mozilla.org/show_bug.cgi?id=1682270>: >>> D-TRUST: Private Key Disclosed by Customer as Part of CSR >>> - >>> >>> 1691117 <https://bugzilla.mozilla.org/show_bug.cgi?id=1691117>: >>> D-TRUST: Certificate with RSA key where modulus is not divisible by 8 >>> - >>> >>> 1756122 <https://bugzilla.mozilla.org/show_bug.cgi?id=1756122>: >>> D-TRUST: Wrong key usage (Key Agreement) >>> - >>> >>> 1793440 <https://bugzilla.mozilla.org/show_bug.cgi?id=1793440>: >>> D-TRUST: CRL not DER-encoded >>> - >>> >>> 1861069 <https://bugzilla.mozilla.org/show_bug.cgi?id=1861069>: >>> D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field >>> within subject >>> - >>> >>> 1862082 <https://bugzilla.mozilla.org/show_bug.cgi?id=1862082>: >>> D-Trust: Delay beyond 5 days in revoking misissued certificate >>> - >>> >>> 1879529 <https://bugzilla.mozilla.org/show_bug.cgi?id=1879529>: >>> D-Trust: "unknown" OCSP response for issued certificates >>> - >>> >>> 1884714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1884714>: >>> D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access >>> field >>> - >>> >>> 1891225 <https://bugzilla.mozilla.org/show_bug.cgi?id=1891225>: >>> D-Trust: Issuance of 15 certificates with incorrect subject attribute >>> order >>> - >>> >>> 1893610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1893610>: >>> D-Trust: Notice to affected Subscriber and person filing CPR not sent >>> within 24 hours >>> - >>> >>> 1896190 <https://bugzilla.mozilla.org/show_bug.cgi?id=1896190>: >>> D-Trust: Issuance of an EV certificate containing a mixup of the >>> Subject's >>> postalCode and localityName >>> - >>> >>> 1913310 <https://bugzilla.mozilla.org/show_bug.cgi?id=1913310>: >>> D-Trust: CRL-Entries without required CRL Reason Code >>> >>> >>> Thank you, >>> >>> Ryan, on behalf of the CCADB Steering Committee >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CCADB Public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to public+unsubscr...@ccadb.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to public+unsubscr...@ccadb.org. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsr8w-vmhYBLNypsO4R-Xcv%2BLZPHdOPqPOrnEEoAsLMaQ%40mail.gmail.com >> <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsr8w-vmhYBLNypsO4R-Xcv%2BLZPHdOPqPOrnEEoAsLMaQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to public+unsubscr...@ccadb.org. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CAFnsKvhViy3f3CnQNQizKu6tT245ah1es0E0UzF1neWOKgK%2BRg%40mail.gmail.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/CAFnsKvhViy3f3CnQNQizKu6tT245ah1es0E0UzF1neWOKgK%2BRg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to public+unsubscr...@ccadb.org. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CACsn0cmAh1rEYWPeeoD%3DyNzhFdMo_4b9k%2B6swz6rNChJobEvCQ%40mail.gmail.com.
