Public Discussion of Atos CA Inclusion Request

767 views
Skip to first unread message

Chris Clements

unread,
Feb 6, 2023, 9:16:02 AM2/6/23
to public

All,


This email commences a six-week public discussion of Atos Trustcenter’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on March 20, 2023.


The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.  


Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.

CCADB Case Number: 00000999 

Organization Background Information:

Certificates Requesting Inclusion:

  1. Atos TrustedRoot Root CA RSA G2 2020:

  • Certificate download links (CA Repository, crt.sh

  • Use cases served/EKUs: 

    • Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and

    • Client Authentication 1.3.6.1.5.5.7.3.2

  • Test websites: N/A 

  1. Atos TrustedRoot Root CA RSA TLS 2021:

  1. Atos TrustedRoot Root CA ECC G2 2020:

  • Certificate download links (CA Repository, crt.sh)

  • Use cases served/EKUs: 

    • Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and

    • Client Authentication 1.3.6.1.5.5.7.3.2

  • Test websites: N/A

  1. Atos TrustedRoot Root CA ECC TLS 2021:

Existing Publicly Trusted Root CAs from Atos Trustcenter:

  1. Atos TrustedRoot 2011 

  • Certificate download links (CA Repository, crt.sh)

  • Use cases served/EKUs: not defined

  • Certificate corpus: here (login required)

  • Included in: Apple; Google Chrome; Microsoft; Mozilla 

Relevant Policy and Practices Documentation: 

The following apply to all four (4) applicant root CAs:


Most Recent Self-Assessment:

 

Audit Statements:

  • Auditor: datenschutz cert GmbH

  • Audit Criteria: ETSI EN 319 411-1

  • Date of Audit Issuance: June 15, 2022

  • For Period Ending: April 27, 2022

  • Audit Statement(s): here 


Incident Summary (Bugzilla incidents from previous 24 months):

  • None in the previous 24 months.


Quantifying Value: 

  • Not applicable.


Thank you,
Chris, on behalf of the CCADB Steering Committee

Aaron Gable

unread,
Feb 6, 2023, 1:30:01 PM2/6/23
to Chris Clements, public
It appears that the link listed for Website (https://pki.atos.net/TrustedRoot) returns a 404. Is that link supposed to be https://pki.atos.net/trustcenter/en/pki-services/ssl-certificates instead?

Aaron

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mB0Zn4wwWX5sPsE2mQPooiAgFyHrfe3zE_Hbu_nCofEmA%40mail.gmail.com.

Michael Risthaus

unread,
Feb 7, 2023, 4:51:58 AM2/7/23
to Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß

Hi Aaron,

 

thanks for the hint!

 

Instead of a 404 we are now sending a 301 redirect to the correct landing page. Additionally we will correct the “Company Website” entry in the CCADB as soon as possible.

 

Kind regards,

Michael Risthaus

 

 

 

Von: 'Aaron Gable' via CCADB Public <pub...@ccadb.org>
Gesendet: Montag, 6. Februar 2023 19:30
An: Chris Clements <ccle...@google.com>
Cc: public <pub...@ccadb.org>
Betreff: Re: Public Discussion of Atos CA Inclusion Request

 

Caution: External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe.

 

It appears that the link listed for Website (https://pki.atos.net/TrustedRoot) returns a 404. Is that link supposed to be https://pki.atos.net/trustcenter/en/pki-services/ssl-certificates instead?

 

Aaron

 

On Mon, Feb 6, 2023 at 6:16 AM 'Chris Clements' via CCADB Public <pub...@ccadb.org> wrote:

All,



This email commences a six-week public discussion of Atos Trustcenter’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on March 20, 2023.

 

The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.  

 

Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.

CCADB Case Number: 00000999 

Organization Background Information:

Certificates Requesting Inclusion:

  1. Atos TrustedRoot Root CA RSA G2 2020:

·         Certificate download links (CA Repository, crt.sh

·         Use cases served/EKUs: 

o    Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and

o    Client Authentication 1.3.6.1.5.5.7.3.2

·         Test websites: N/A 

2.       Atos TrustedRoot Root CA RSA TLS 2021:

·         Certificate download links (CA Repository, crt.sh

·         Use cases served/EKUs: 

o    Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and

o    Client Authentication 1.3.6.1.5.5.7.3.2

·         Test websites: 

o    Valid: https://tls-rsa-root-2021-pki-valid.atos.net

o    Revoked: https://tls-rsa-root-2021-pki-revoked.atos.net

o    Expired: https://tls-rsa-root-2021-pki-expired.atos.net 

3.       Atos TrustedRoot Root CA ECC G2 2020:

·         Certificate download links (CA Repository, crt.sh)

·         Use cases served/EKUs: 

o    Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and

o    Client Authentication 1.3.6.1.5.5.7.3.2

·         Test websites: N/A

4.       Atos TrustedRoot Root CA ECC TLS 2021:

·         Certificate download links (CA Repository, crt.sh)

·         Use cases served/EKUs: 

o    Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and

o    Client Authentication 1.3.6.1.5.5.7.3.2

·         Test websites: 

o    Valid: https://tls-ecc-root-2021-pki-valid.atos.net

o    Revoked: https://tls-ecc-root-2021-pki-revoked.atos.net

o    Expired: https://tls-ecc-root-2021-pki-expired.atos.net 

Kurt Seifried

unread,
Feb 7, 2023, 2:17:59 PM2/7/23
to Michael Risthaus, Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß
In line with the recently announced:


There is reasonable suspicion that the CA is closely tied, through ownership or operation, to a company engaged in any of the following:
the distribution of malware or spyware;
network surveillance; or
cyber espionage.

ATOS appears to be involved in "network surveillance; or cyber espionage." as per:


Which explicitly mentions:

"Global threat intelligence services to monitor and pre-empt threats across the internet and dark web"

So I guess this will need to be explained/an exception granted, or?



To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/9949aadcf2d6427d9c513fbafe44f707%40atos.net.


--
Kurt Seifried (He/Him)
ku...@seifried.org

Rufus Buschart

unread,
Feb 7, 2023, 4:26:58 PM2/7/23
to Kurt Seifried, Michael Risthaus, Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß
Hi Kurt!

Could you please be a bit more specific, when you make such accusations? At least I'm able to find the problematic services under the link you posted.

Best regards

Rufus

To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa398hyMdJRQnTQfPW07RDmZT9Sm0iYtE-%2BtjND04MqpbHA%40mail.gmail.com.

Rufus Buschart

unread,
Feb 7, 2023, 4:27:50 PM2/7/23
to Kurt Seifried, Michael Risthaus, Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß
This should obviously say "I am not able to"

/Rufus

Kurt Seifried

unread,
Feb 7, 2023, 8:49:21 PM2/7/23
to Rufus Buschart, Michael Risthaus, Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß
In line with:


I have incorporated your feedback as follows.

- Changed network surveillance bullet point to:
network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization

- Changed the cyber espionage bullet point to:
cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage.

Atos states clearly they are monitoring the dark web, do you think they are logging into those sites as "ATOS_darkweb_monitoring_user"? 

I would note that the Mozilla Root_Inclusion_Considerations uses terms like "privacy" which covers people you like, and people you don't like.

Seo Suchan

unread,
Feb 7, 2023, 10:04:34 PM2/7/23
to pub...@ccadb.org

I think 'monitor' in that statement actually means 'We run a web crawler on some forums/markets on TOR and see what exploits they post/sell" I see no reason why they would care about any specific person on there.

2023-02-08 오전 10:48에 'Kurt Seifried' via CCADB Public 이(가) 쓴 글:

Matthias Wessels

unread,
Feb 8, 2023, 4:47:40 AM2/8/23
to CCADB Public, tjt...@gmail.com
Dear All,
many thanks for your comments.
we are happy to provide some explanations for the discussion. 

- The Atos Offering is about threat detection and defence.

- All activities are carried out passively and on behalf of the customer and its own infrastructure.

- On the website mentioned above (https://atos.net/en/solutions/cyber-security/managed-security-services), the offering is presented on the basis of the customer IOC.

- In addition, it also serves to protect the Atos infrastructure (including the PKI services).

It is therefore not network surveillance or cyber espionage.


Hope this will help to clear this discussion point.

Best regards

Matthias

Rufus Buschart

unread,
Feb 8, 2023, 4:50:27 AM2/8/23
to Kurt Seifried, Michael Risthaus, Aaron Gable, Chris Clements, public, Matthias Wessels, Michael Mauß
Thank you for clarifying. I think it is important to point out that such a service is acceptable, if there is a "permission" by the person that is monitored. A problem might be, that in the practical life of a company not every employee will be asked for permission, but, based on the legal framework under which the company operates, it might be sufficient to negotiate "permission" with the local workers council, or it is not required at all.

/Rufus



What we do in life, echoes in eternity.
===========================================
Rufus J.W. Buschart
Anna-Pirson-Weg 1c
91052 Erlangen
Phone: +49 (0)9131 - 530 15 85
Mobile: +49 (0)152 - 228 94 134


To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3-%2Bdb_B2_NhZmw1NdC%3DwXtrSiv4BQYeztrtp_DUjgy-WQ%40mail.gmail.com.

Jeffrey Walton

unread,
Feb 9, 2023, 5:07:57 PM2/9/23
to Matthias Wessels, CCADB Public
Hi Matthias/Everyone,

I'm a bit suspicious of these two statements:

- The Atos Offering is about threat detection and defence.
- All activities are carried out passively and on behalf of the customer
  and its own infrastructure.

The CPSes don't discuss the use of the certificates for threat detection or defense.[1,2] However, ATOS offers Data Loss Prevention (DLP) services.[3] A.k.a., Interception Proxy.

So I am clear, the Roots and Subordinates WILL NOT be used for DLP purposes, even if the use is intended for or limited to customer on-prem. If a customer wants a DLP program run by ATOS, then the customer will use its internal PKI or its own Roots and Subordinates.

Is that correct?

Jeff

Michael Risthaus

unread,
Feb 10, 2023, 5:46:05 AM2/10/23
to nolo...@gmail.com, Matthias Wessels, CCADB Public

Hi Jeffrey,

 

since Matthias is now on vacation, I’ll answer your question on his behalf.

 

You are correct, Atos Roots and Subordinates are NOT used for DLP purposes.

--

You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.

Kurt Seifried

unread,
Feb 10, 2023, 12:03:03 PM2/10/23
to Michael Risthaus, nolo...@gmail.com, Matthias Wessels, CCADB Public
On Fri, Feb 10, 2023 at 3:46 AM 'Michael Risthaus' via CCADB Public <pub...@ccadb.org> wrote:

Hi Jeffrey,

 

since Matthias is now on vacation, I’ll answer your question on his behalf.

 

You are correct, Atos Roots and Subordinates are NOT used for DLP purposes.


Just a general note: I assume you're using DLP (Data Loss Prevention) in the same way the previous email used it, but can we PLEASE spell out acronyms the first time we use them in an email (even a reply) to ensure we're all on the same page (e.g. Data Leak Prevention, https://www.acronymfinder.com/DLP.html)?
 

Chris Clements

unread,
Mar 13, 2023, 10:37:49 AM3/13/23
to CCADB Public, Michael Risthaus, nolo...@gmail.com, Matthias Wessels, Kurt Seifried

All,


This is a reminder that the public discussion period on the inclusion application of Atos Trustcenter will close next Monday, on March 20, 2023.


Thank you,

Chris, on behalf of the CCADB Steering Committee

Chris Clements

unread,
Mar 23, 2023, 8:38:02 AM3/23/23
to CCADB Public

All,

On February 6, 2023, we began a six-week, public discussion[1] on the request from Atos Trustcenter for inclusion of its root certificate(s):

    The public discussion period ended on March 20, 2023.

    Summary of Discussion

    Discussion Item #1: The statement “Global threat intelligence services to monitor and pre-empt threats across the internet and dark web”[2] was questioned in relation to the (at the time) draft[3] Mozilla root inclusion considerations. Specifically, the correlation with the "network surveillance; or cyber espionage" language in the inclusion considerations. 

    Atos Response to Discussion Item #1: The Atos Offering is about threat detection and defence. All activities are carried out passively and on behalf of the customer and its own infrastructure. On the website mentioned above, the offering is presented on the basis of the customer IOC. In addition, it also serves to protect the Atos infrastructure (including the PKI services). It is therefore not network surveillance or cyber espionage.

    ==========================

    Discussion Item #2: The CPSes do not discuss the use of the certificates for threat detection or defense.[4,5] However, Atos offers Data Loss Prevention (DLP) services.[6] A.k.a., Interception Proxy. Confirmation was requested for the Roots and Subordinates not being used for DLP purposes, even if the use is intended for or limited to customer on-prem.

    Atos Response to Discussion Item #2: Atos Roots and Subordinates are NOT used for DLP purposes.

    ==========================

    We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).

    [1] https://groups.google.com/a/ccadb.org/g/public/c/v5yFBHjuBRo/m/YT_SjO2_BQAJ
    [2] https://atos.net/en/solutions/cyber-security/managed-security-services
    [3] https://wiki.mozilla.org/CA/Root_Inclusion_Considerations
    [4] https://pki.atos.net/Download/Atos_TrustedRoot_CPS_RootCA_v2.7.2.pdf
    [5] https://pki.atos.net/Download/Atos_TrustedRoot_CPS_IssuingCAs_v2.7.2.pdf
    [6] https://atos.net/en/2016/press-release/general-press-releases_2016_06_03/pr-2016_06_03_01

    Thank you,
    Chris, on behalf of the CCADB Steering Committee 

    Reply all
    Reply to author
    Forward
    0 new messages