All,
This email commences a six-week public discussion of D-Trust’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on October 24, 2024.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00001362 and 00001363
Organization Background Information (listed in the CCADB):
CA Owner Name: D-Trust
Website: https://www.d-trust.net/en
Address: Kommandantenstr. 15, Berlin, 10969, Germany
Problem Reporting Mechanisms: https://www.d-trust.net/en/support/reporting-certificate-problem
Organization Type: Government Agency
Repository URL: https://www.bundesdruckerei.de/en/Repository
Certificates Requesting Inclusion:
D-TRUST EV Root CA 2 2023:
Certificate download links: CA Repository / crt.sh
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
D-TRUST BR Root CA 2 2023:
Certificate download links: CA Repository / crt.sh
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
Existing Publicly Trusted Root CAs from D-Trust:
D-TRUST BR Root CA 1 2020:
Certificate download links: (CA Repository /crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Certificate corpus: here (Censys login required)
Included in: Google Chrome, Mozilla
D-Trust SBR Root CA 1 2022:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
Client Authentication 1.3.6.1.5.5.7.3.2;
Document Signing AATL 1.2.840.113583.1.1.5;
Document Signing MS 1.3.6.1.4.1.311.10.3.12
Certificate corpus: N/A
Included in: Mozilla
D-Trust SBR Root CA 2 2022:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
Client Authentication 1.3.6.1.5.5.7.3.2;
Document Signing AATL 1.2.840.113583.1.1.5;
Document Signing MS 1.3.6.1.4.1.311.10.3.12
Certificate corpus: N/A
Included in: Mozilla
D-TRUST EV Root CA 1 2020:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Certificate corpus: here (Censys login required)
Included in: Google Chrome, Mozilla
D-TRUST Root CA 3 2013:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
Client Authentication 1.3.6.1.5.5.7.3.2;
Document Signing AATL 1.2.840.113583.1.1.5;
Document Signing MS 1.3.6.1.4.1.311.10.3.12
Certificate corpus: N/A
Included in: Apple, Microsoft, Mozilla
D-TRUST Root Class 3 CA 2 2009:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
Client Authentication 1.3.6.1.5.5.7.3.2
Certificate corpus: here (Censys login required)
Included in: Apple, Google Chrome, Microsoft, Mozilla
D-TRUST Root Class 3 CA 2 EV 2009:
Certificate download links: (CA Repository / crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
Client Authentication 1.3.6.1.5.5.7.3.2
Certificate corpus: here (Censys login required)
Included in: Apple, Google Chrome, Microsoft, Mozilla
Relevant Policy and Practices Documentation:
CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf
TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf
Most Recent Self-Assessment:
https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed 10/30/2023)
Audit Statements:
Auditor: TÜViT - TÜV Informationstechnik GmbH
Audit Criteria: ETSI
Recent Audit Statement(s):
Key Generation (May 9, 2023)
Standard Audit (Period: October 8, 2022 to October 7, 2023)
TLS BR Audit (Period: October 8, 2022 to October 7, 2023)
TLS EVG Audit (Period: October 8, 2022 to October 7, 2023)
Incident Summary (Bugzilla incidents from previous 24 months):
1682270: D-TRUST: Private Key Disclosed by Customer as Part of CSR
1691117: D-TRUST: Certificate with RSA key where modulus is not divisible by 8
1756122: D-TRUST: Wrong key usage (Key Agreement)
1793440: D-TRUST: CRL not DER-encoded
1861069: D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject
1862082: D-Trust: Delay beyond 5 days in revoking misissued certificate
1879529: D-Trust: "unknown" OCSP response for issued certificates
1884714: D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field
1891225: D-Trust: Issuance of 15 certificates with incorrect subject attribute order
1893610: D-Trust: Notice to affected Subscriber and person filing CPR not sent within 24 hours
1896190: D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName
1913310: D-Trust: CRL-Entries without required CRL Reason Code
Thank you,
Ryan, on behalf of the CCADB Steering Committee
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com.
Dear Amir,
Thank you for your comment. We will review this and come back to you by the end of next week.
Greetings,
Leyla
Von: 'Amir Omidi' via CCADB Public <pub...@ccadb.org>
Gesendet: Donnerstag, 12. September 2024 16:17
An: Ryan Dickson <ryand...@google.com>
Cc: public <pub...@ccadb.org>
Betreff: Re: Public Discussion of D-Trust TLS CA Inclusion Request
The CPR process (
https://www.d-trust.net/en/support/reporting-certificate-problem) seems quite annoying. Downloading and editing a PDF just to send a CPR is a bit too much.
On Thu, Sep 12, 2024 at 09:15 'Ryan Dickson' via CCADB Public <pub...@ccadb.org> wrote:
All,
This email commences a six-week public discussion of D-Trust’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on October 24, 2024.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00001362 and 00001363
Organization Background Information (listed in the CCADB):
· CA Owner Name: D-Trust
· Website: https://www.d-trust.net/en
· Address: Kommandantenstr. 15, Berlin, 10969, Germany
· Problem Reporting Mechanisms: https://www.d-trust.net/en/support/reporting-certificate-problem
· Organization Type: Government Agency
· Repository URL: https://www.bundesdruckerei.de/en/Repository
Certificates Requesting Inclusion:
1. D-TRUST EV Root CA 2 2023:
o Certificate download links: CA Repository / crt.sh
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Test websites:
o Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
2. D-TRUST BR Root CA 2 2023:
o Certificate download links: CA Repository / crt.sh
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Test websites:
o Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
Existing Publicly Trusted Root CAs from D-Trust:
1. D-TRUST BR Root CA 1 2020:
o Certificate download links: (CA Repository /crt.sh)
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Google Chrome, Mozilla
2. D-Trust SBR Root CA 1 2022:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
§ Client Authentication 1.3.6.1.5.5.7.3.2;
§ Document Signing AATL 1.2.840.113583.1.1.5;
§ Document Signing MS 1.3.6.1.4.1.311.10.3.12
o Certificate corpus: N/A
o Included in: Mozilla
3. D-Trust SBR Root CA 2 2022:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
§ Client Authentication 1.3.6.1.5.5.7.3.2;
§ Document Signing AATL 1.2.840.113583.1.1.5;
§ Document Signing MS 1.3.6.1.4.1.311.10.3.12
o Certificate corpus: N/A
o Included in: Mozilla
4. D-TRUST EV Root CA 1 2020:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Google Chrome, Mozilla
5. D-TRUST Root CA 3 2013:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
§ Client Authentication 1.3.6.1.5.5.7.3.2;
§ Document Signing AATL 1.2.840.113583.1.1.5;
§ Document Signing MS 1.3.6.1.4.1.311.10.3.12
o Certificate corpus: N/A
o Included in: Apple, Microsoft, Mozilla
6. D-TRUST Root Class 3 CA 2 2009:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Apple, Google Chrome, Microsoft, Mozilla
7. D-TRUST Root Class 3 CA 2 EV 2009:
o Certificate download links: (CA Repository / crt.sh)
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Apple, Google Chrome, Microsoft, Mozilla
Relevant Policy and Practices Documentation:
· CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf
· CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf
· TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf
Most Recent Self-Assessment:
· https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed 10/30/2023)
Audit Statements:
· Auditor: TÜViT - TÜV Informationstechnik GmbH
· Audit Criteria: ETSI
· Recent Audit Statement(s):
o Key Generation (May 9, 2023)
o Standard Audit (Period: October 8, 2022 to October 7, 2023)
o TLS BR Audit (Period: October 8, 2022 to October 7, 2023)
o TLS EVG Audit (Period: October 8, 2022 to October 7, 2023)
Incident Summary (Bugzilla incidents from previous 24 months):
· 1682270: D-TRUST: Private Key Disclosed by Customer as Part of CSR
· 1691117: D-TRUST: Certificate with RSA key where modulus is not divisible by 8
· 1756122: D-TRUST: Wrong key usage (Key Agreement)
· 1793440: D-TRUST: CRL not DER-encoded
· 1861069: D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject
· 1862082: D-Trust: Delay beyond 5 days in revoking misissued certificate
· 1879529: D-Trust: "unknown" OCSP response for issued certificates
· 1884714: D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field
· 1891225: D-Trust: Issuance of 15 certificates with incorrect subject attribute order
· 1893610: D-Trust: Notice to affected Subscriber and person filing CPR not sent within 24 hours
· 1896190: D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName
· 1913310: D-Trust: CRL-Entries without required CRL Reason Code
Thank you,
Ryan, on behalf of the CCADB Steering Committee
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAOG%3DJUJEGeUJ-aooti63Tik-33Ef6%2BesoFtZkR_nHW-aRL-PSg%40mail.gmail.com.
Hi Amir,
Leyla is on sick leave. Therefore I’ll take over for her.
We understand that the current CPR process is not convenient but it fulfills all requirements and worked so far as needed.
We are in the process of creating an improved version of the CPR process which will be introduced as a web form by the end of the year.
Thanks,
Enrico
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB219568DD6B4D7D2E95B8451086732%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM.
Hi Amir,
Thanks for the wishes. I will let her know.
How do you measure that it worked so far as needed? I guess if the goal is to discourage people from reporting issues, it does a great job with that.
The process worked because we have been receiving CPRs from different parties. The goal is to avoid as much spam or misdirected support cases as possible. The PDF ensures that the user is guided to send us all relevant information.
Thanks,
Enrico
Hi George,
Of course we will in any case investigate the issue. But as I wrote to Amir it is more helpful to get structured and complete information from the sender of the CPR.
Thanks,
Enrico
Von: 'George' via CCADB Public <pub...@ccadb.org>
Gesendet: Samstag, 5. Oktober 2024 19:32
An: Entschew, Enrico <Enrico....@BDR.de>
Hi Mike,
Thanks for your statement.
Thanks,
Enrico
Hi Amir,
Thank you for your statement. I agree with you that this topic should be split off to its own thread.
Thanks,
Enrico
Overall the security level of the certi-fication process was increased, from which the internet users and ultimately also the website operators benefited, as long as the reduction of the validity periods did not generally affect the purchase of certificates with a higher level of authentication [ed: OV/EV certificates], for which there is however no indi-cation.
(Note: Mozilla is the only browser who has signed this “industry statement” – none of the other browsers are included. According to statcounter.com, Mozilla Firefox has only a 3.0% world market share, down from 30% in prior years.)
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB219511B7BECAD6EBBF6737AA86452%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM.
Hi Mike,
Thanks again for your comments.
First of all, I would like to briefly inform you that Dr Kim Nguyen is no longer Managing Director of D-Trust as of the beginning of this year. He is currently Senior Vice President Innovations at Bundesdruckerei.
D-Trust is a committed, loyal and active member of the web PKI community. We follow the discussions on mdsp, github (CA/B-F specific), CCADB list, Bugzilla etc. We attend the F2F CA/B Forum and WG meetings regularly. Twice D-Trust hosted a F2F CA/B Forum meeting in Berlin. We comply with the requirements of the CA/Browser Forum and the root store policies of the browsers, which is checked annually by an independent Conformity Assessment Body in a multi-day audit.
If we make mistakes, we openly communicate them via the Bugzilla platform of Mozilla. We analyze the errors, publish the root cause of the error, propose measures to prevent future errors and implement the measures as quickly as possible. If possible, we contribute changes to the tools that the community uses, e.g. open source linter ZLint, to help prevent other CAs from making the same mistakes as us. D-Trust has always strived to react openly and transparently to incidents, as the Web PKI community has expected us to.
If you have questions about these topics I’m happy to answer them here.
Thanks,
Enrico
Von: pub...@ccadb.org <pub...@ccadb.org> Im Auftrag von Mike Shaver
Gesendet: Dienstag, 15. Oktober 2024 03:38
An: Entschew, Enrico <Enrico....@BDR.de>
o Certificate download links: CA Repository / crt.sh
o Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Test websites:
o Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
2. D-TRUST BR Root CA 2 2023:
- Certificate download links: CA Repository / crt.sh
- Use cases served/EKUs:
- Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
- Client Authentication 1.3.6.1.5.5.7.3.2
- Test websites:
- Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 2009 in some root stores, with the replacement taking place approximately on September 1, 2026.
Existing Publicly Trusted Root CAs from D-Trust:
- D-TRUST BR Root CA 1 2020:
- Certificate download links: (CA Repository /crt.sh)
- Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Google Chrome, Mozilla
2. D-Trust SBR Root CA 1 2022:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
- Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
- Client Authentication 1.3.6.1.5.5.7.3.2;
- Document Signing AATL 1.2.840.113583.1.1.5;
- Document Signing MS 1.3.6.1.4.1.311.10.3.12
- Certificate corpus: N/A
- Included in: Mozilla
3. D-Trust SBR Root CA 2 2022:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
- Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
- Client Authentication 1.3.6.1.5.5.7.3.2;
- Document Signing AATL 1.2.840.113583.1.1.5;
- Document Signing MS 1.3.6.1.4.1.311.10.3.12
- Certificate corpus: N/A
- Included in: Mozilla
4. D-TRUST EV Root CA 1 2020:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Google Chrome, Mozilla
5. D-TRUST Root CA 3 2013:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
§ Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;
§ Client Authentication 1.3.6.1.5.5.7.3.2;
§ Document Signing AATL 1.2.840.113583.1.1.5;
§ Document Signing MS 1.3.6.1.4.1.311.10.3.12
o Certificate corpus: N/A
o Included in: Apple, Microsoft, Mozilla
6. D-TRUST Root Class 3 CA 2 2009:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Apple, Google Chrome, Microsoft, Mozilla
7. D-TRUST Root Class 3 CA 2 EV 2009:
- Certificate download links: (CA Repository / crt.sh)
- Use cases served/EKUs:
§ Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;
§ Client Authentication 1.3.6.1.5.5.7.3.2
o Certificate corpus: here (Censys login required)
o Included in: Apple, Google Chrome, Microsoft, Mozilla
Relevant Policy and Practices Documentation:
- CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf
- CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf
- TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf
Most Recent Self-Assessment:
- https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed 10/30/2023)
Audit Statements:
- Auditor: TÜViT - TÜV Informationstechnik GmbH
- Audit Criteria: ETSI
- Recent Audit Statement(s):
- Key Generation (May 9, 2023)
- Standard Audit (Period: October 8, 2022 to October 7, 2023)
- TLS BR Audit (Period: October 8, 2022 to October 7, 2023)
- TLS EVG Audit (Period: October 8, 2022 to October 7, 2023)
Incident Summary (Bugzilla incidents from previous 24 months):
- 1682270: D-TRUST: Private Key Dis
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquMLy-CQ3cpYWJ7iw4Se6y3p34Nc%2B1_KVRS3K%2Bo%3D5H9nA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB219593F5DA4ECB33450CEC1986402%40BE1P281MB2195.DEUP281.PROD.OUTLOOK.COM.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAOG%3DJUJ7Y-VP2bzeWNtt1b57AQ4hgf0m-hELEpzV2mrXA9HrDQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsr8w-vmhYBLNypsO4R-Xcv%2BLZPHdOPqPOrnEEoAsLMaQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAFnsKvhViy3f3CnQNQizKu6tT245ah1es0E0UzF1neWOKgK%2BRg%40mail.gmail.com.
Given Dimitris' reply I can only presume there has been some misinterpretation on Amir's latest reply here. The question posed was:Given this advocacy of the director in the past, would D-Trust willingly accept to issue maximum 90 day certificates?
I interpret this as whether D-Trust, in the future, would be open to lifetime reduction certificates. Presumably from Dimitris' response he believe it is some imposed condition for root inclusion at all? It would be prudent to understand what brought this interpretation that blackmail was occurring, as bringing up such a topic is not going to improve discussion in the slightest and is in itself against the CoC. It is unbecoming to put forward these opinions even in a personal capacity.
As I understand it, this discussion centers around an individual who was a prominent stakeholder in D-Trust's decision making at the time. I don't see where the issue is in finding out if D-Trust's stance going forward aligns with these public statements as they may reflect internal attitudes at the CA at the time. It should be noted that D-Trust have not raised concerns, and seem to be willing to answer questions posed but have yet to do so. I would appreciate some clarity on questions answered so far.
I look forward to any answers that D-Trust can provide on whether they, at this moment in time, perceive any changes to certificate lifespan as anti-competitive in nature. This would reflect the CA's attitude in wilful compliance with any future work done by any root program, which I'm sure would make sense to anyone involved here? Such attitudes make sense to check for root inclusion over timespans where such changes are expected.
I'm sure we can all have a civil discussion on this going forward.
Wayne covered what I was going to say. I would also add that using the word blackmail in this context would also probably be seen as a code of conduct violation.
I do hope we can call out lines of questioning in the future without resorting to such language.
It’s not every day that I’m accused of blackmail on a public, industry list, I have to say.
I am not in any position to blackmail anyone, as I do not represent any voting or policy-making participant in the CCADB organization, but I don’t believe that I have given any indication that I would behave unethically in pursuit of my private aims to protect and strengthen the web PKI.
In addition to that, I believe that you are grossly mischaracterizing my position, Dimitris.
First, I am not asking for any commitment to 90 day certificates, or any other certificate duration limit, or anything at all. I am very specifically and explicitly asking if it is (still?) D-Trust’s *current position* that reduction in certificate duration is an anti-trust concern, or represents a degradation in security. I’m asking about those specific, limited things because they were included in the German anti-trust agency’s findings, which were themselves referenced by an *industry association* with which D-Trust is or was recently affiliated. I am not asking about any other possible reasons for objections to reduced validity, and I am not asking for a commitment to support anything in the future. I was very specific about the questions I was asking, but I am always open to feedback on how I can improve the clarity of my wording.
Second, I am asking for what I thought would be a really simple yes/no, about whether D-Trust considers browser market share to be relevant in terms of the importance or validity of positions on web PKI matters. This issue has been recent relevant in how other CAs have differentially responded to concerns, and the root community’s apparent consensus that such differential treatment was inappropriate.
Third, I asked whether “roll-over” comment periods should be subject to less scrutiny than initial inclusion requests, as was strongly implied by D-Trust’s initial response to my questions.
I do not consider positions on matters of certificate or incident response policy, or CCADB scrutiny, to be out-of-bounds political topics (all matters of governance and policy of human institutions are political, obviously), and I do not see how my messages have contravened the linked code of conduct, but I also welcome clarification from the CCADB leadership on the matter. Also, organizations don’t have political beliefs, humans do. I’m asking about corporate position on web PKI matters, not anyone’s individual political or otherwise private belief.
If there are violations of the CoC here, I think that they are the offensive accusation of blackmail,
Hi all,
This is a reminder that the public discussion period on the inclusion application of D-Trust will close on October 24, 2024 (initially communicated on September 12, 2024).
As always, the CCADB Steering Committee will provide a summary of the discussion a few days after its closure.
Thanks,
Ryan, on behalf of the CCADB Steering Committee
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/7e95170b-d9e5-4c40-aee1-ffa4bcd9c241%40harica.gr.
On September 12, 2024, we began a six-week, public discussion on the request from D-Trust for inclusion of its root certificates:
D-TRUST EV Root CA 2 2023
D-TRUST BR Root CA 2 2023
The public discussion period ended on October 24, 2024.
==========================
Summary of Discussion
Discussion item #1: Several observations related to D-Trust’s Certificate Problem Report (CPR) process were presented:
The CPR process, which involves downloading and editing a PDF, was described as inconvenient.
It was not clear how D-Trust measures the effectiveness of its CPR process and whether the process discouraged reporting.
It was not clear if D-Trust investigates CPRs submitted without the PDF form.
D-Trust Response to Discussion item #1: D-Trust acknowledged the inconvenience and committed to introducing an improved web form by the end of the year. D-Trust believes the process works because they receive CPRs from various parties. They explained that the PDF form helps ensure users provide all relevant information and minimizes spam. D-Trust confirmed they would investigate regardless of the reporting format, but emphasized that the PDF form helps ensure they receive structured and complete information.
Discussion item #2: The public raised concerns about D-Trust's potential alignment with the European Signature Dialog's (ESD) positions on certificate validity and browser market share, given the ESD's history of stances perceived as detrimental to the Web PKI ecosystem. Clarification was sought for:
D-Trust's stance on reducing certificate validity periods, asking if they viewed such reductions as anti-competitive or detrimental to security, and
whether D-Trust considers browser market share when evaluating the validity of concerns raised by different browsers.
D-Trust Response to Discussion item #2: D-Trust clarified that the former director associated with the ESD was no longer with D-Trust. D-Trust stated that reducing certificate duration is not inherently anti-competitive and that the impact on security depends on the specific circumstances of implementation. D-Trust affirmed that they consider all relevant root program policies equally important.
==========================
We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s own inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).
Thank you
-Chris, on behalf of the CCADB Steering Committee