All,
This email commences a six-week public discussion of Atos Trustcenter’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on March 20, 2023.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00000999
Organization Background Information:
CA Owner Name: Atos Trustcenter
Website: https://pki.atos.net/TrustedRoot/
Address: Lohberg 10 Meppen, 49716 Germany
Problem Reporting Mechanisms: gmde-tru...@atos.net, https://pki.atos.net
Organization Type: Private Corporation
Repository URL: https://pki.atos.net/trustcenter/en/download/trusted-root-ca
Certificates Requesting Inclusion:
Atos TrustedRoot Root CA RSA G2 2020:
Certificate download links (CA Repository, crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites: N/A
Atos TrustedRoot Root CA RSA TLS 2021:
Certificate download links (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Atos TrustedRoot Root CA ECC G2 2020:
Certificate download links (CA Repository, crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites: N/A
Atos TrustedRoot Root CA ECC TLS 2021:
Certificate download links (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Existing Publicly Trusted Root CAs from Atos Trustcenter:
Atos TrustedRoot 2011
Certificate download links (CA Repository, crt.sh)
Use cases served/EKUs: not defined
Certificate corpus: here (login required)
Included in: Apple; Google Chrome; Microsoft; Mozilla
Relevant Policy and Practices Documentation:
The following apply to all four (4) applicant root CAs:
https://pki.atos.net/Download/Atos_TrustedRoot_CPS_RootCA_v2.7.2.pdf
https://pki.atos.net/Download/Atos_TrustedRoot_CPS_IssuingCAs_v2.7.2.pdf
Most Recent Self-Assessment:
https://bugzilla.mozilla.org/attachment.cgi?id=9293279 (completed 9/6/2022)
Audit Statements:
Auditor: datenschutz cert GmbH
Audit Criteria: ETSI EN 319 411-1
Date of Audit Issuance: June 15, 2022
For Period Ending: April 27, 2022
Audit Statement(s): here
Incident Summary (Bugzilla incidents from previous 24 months):
None in the previous 24 months.
Quantifying Value:
Not applicable.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mB0Zn4wwWX5sPsE2mQPooiAgFyHrfe3zE_Hbu_nCofEmA%40mail.gmail.com.
Hi Aaron,
thanks for the hint!
Instead of a 404 we are now sending a 301 redirect to the correct landing page. Additionally we will correct the “Company Website” entry in the CCADB as soon as possible.
Kind regards, |
Michael Risthaus |
Von: 'Aaron Gable' via CCADB Public <pub...@ccadb.org>
Gesendet: Montag, 6. Februar 2023 19:30
An: Chris Clements <ccle...@google.com>
Cc: public <pub...@ccadb.org>
Betreff: Re: Public Discussion of Atos CA Inclusion Request
Caution: External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe. |
It appears that the link listed for Website (https://pki.atos.net/TrustedRoot) returns a 404. Is that link supposed to be https://pki.atos.net/trustcenter/en/pki-services/ssl-certificates instead?
Aaron
On Mon, Feb 6, 2023 at 6:16 AM 'Chris Clements' via CCADB Public <pub...@ccadb.org> wrote:
All,
This email commences a six-week public discussion of Atos Trustcenter’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on March 20, 2023.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00000999
Organization Background Information:
- CA Owner Name: Atos Trustcenter
- Website: https://pki.atos.net/TrustedRoot/
- Address: Lohberg 10 Meppen, 49716 Germany
- Problem Reporting Mechanisms: gmde-tru...@atos.net, https://pki.atos.net
- Organization Type: Private Corporation
- Repository URL: https://pki.atos.net/trustcenter/en/download/trusted-root-ca
Certificates Requesting Inclusion:
- Atos TrustedRoot Root CA RSA G2 2020:
· Certificate download links (CA Repository, crt.sh)
· Use cases served/EKUs:
o Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and
o Client Authentication 1.3.6.1.5.5.7.3.2
· Test websites: N/A
2. Atos TrustedRoot Root CA RSA TLS 2021:
· Certificate download links (CA Repository, crt.sh)
· Use cases served/EKUs:
o Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and
o Client Authentication 1.3.6.1.5.5.7.3.2
· Test websites:
o Valid: https://tls-rsa-root-2021-pki-valid.atos.net
o Revoked: https://tls-rsa-root-2021-pki-revoked.atos.net
o Expired: https://tls-rsa-root-2021-pki-expired.atos.net
3. Atos TrustedRoot Root CA ECC G2 2020:
· Certificate download links (CA Repository, crt.sh)
· Use cases served/EKUs:
o Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; and
o Client Authentication 1.3.6.1.5.5.7.3.2
· Test websites: N/A
4. Atos TrustedRoot Root CA ECC TLS 2021:
· Certificate download links (CA Repository, crt.sh)
· Use cases served/EKUs:
o Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; and
o Client Authentication 1.3.6.1.5.5.7.3.2
· Test websites:
o Valid: https://tls-ecc-root-2021-pki-valid.atos.net
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAEmnErfmr9MiTy8tJaEdw9VxJ8nb9V9Yy6Eyq4H8meCYa8XhqQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/9949aadcf2d6427d9c513fbafe44f707%40atos.net.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa398hyMdJRQnTQfPW07RDmZT9Sm0iYtE-%2BtjND04MqpbHA%40mail.gmail.com.
I think 'monitor' in that statement actually means 'We run a web
crawler on some forums/markets on TOR and see what exploits they
post/sell" I see no reason why they would care about any specific
person on there.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3-%2Bdb_B2_NhZmw1NdC%3DwXtrSiv4BQYeztrtp_DUjgy-WQ%40mail.gmail.com.
- The Atos Offering is about threat detection and defence.
- All activities are carried out passively and on behalf of the customer and its own infrastructure.
- On the website mentioned above (https://atos.net/en/solutions/cyber-security/managed-security-services), the offering is presented on the basis of the customer IOC.
- In addition, it also serves to protect the Atos infrastructure (including the PKI services).
It is therefore not network surveillance or cyber espionage.
Hope this will help to clear this discussion point.
Best regards
Matthias
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3-%2Bdb_B2_NhZmw1NdC%3DwXtrSiv4BQYeztrtp_DUjgy-WQ%40mail.gmail.com.
Hi Jeffrey,
since Matthias is now on vacation, I’ll answer your question on his behalf.
You are correct, Atos Roots and Subordinates are NOT used for DLP purposes.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAH8yC8kgm7G5WgTcO2j62YEQ3BmSbu2bCubx4_RppcpLSsiSvg%40mail.gmail.com.
Hi Jeffrey,
since Matthias is now on vacation, I’ll answer your question on his behalf.
You are correct, Atos Roots and Subordinates are NOT used for DLP purposes.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/fbb1ea8910584e92a04a5b4c273b0eec%40atos.net.
All,
This is a reminder that the public discussion period on the inclusion application of Atos Trustcenter will close next Monday, on March 20, 2023.
Thank you,
Chris, on behalf of the CCADB Steering Committee
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa38U3bVMTfPj%3DVvDm%3DSCQH_dhLDwA%2BArmWEjAmK_T0FViA%40mail.gmail.com.
All,
On February 6, 2023, we began a six-week, public discussion[1] on the request from Atos Trustcenter for inclusion of its root certificate(s):
The public discussion period ended on March 20, 2023.
Summary of Discussion
Discussion Item #1: The statement “Global threat intelligence services to monitor and pre-empt threats across the internet and dark web”[2] was questioned in relation to the (at the time) draft[3] Mozilla root inclusion considerations. Specifically, the correlation with the "network surveillance; or cyber espionage" language in the inclusion considerations.
Atos Response to Discussion Item #1: The Atos Offering is about threat detection and defence. All activities are carried out passively and on behalf of the customer and its own infrastructure. On the website mentioned above, the offering is presented on the basis of the customer IOC. In addition, it also serves to protect the Atos infrastructure (including the PKI services). It is therefore not network surveillance or cyber espionage.
==========================
Discussion Item #2: The CPSes do not discuss the use of the certificates for threat detection or defense.[4,5] However, Atos offers Data Loss Prevention (DLP) services.[6] A.k.a., Interception Proxy. Confirmation was requested for the Roots and Subordinates not being used for DLP purposes, even if the use is intended for or limited to customer on-prem.
Atos Response to Discussion Item #2: Atos Roots and Subordinates are NOT used for DLP purposes.
==========================
We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).
[1] https://groups.google.com/a/ccadb.org/g/public/c/v5yFBHjuBRo/m/YT_SjO2_BQAJ
[2] https://atos.net/en/solutions/cyber-security/managed-security-services
[3] https://wiki.mozilla.org/CA/Root_Inclusion_Considerations
[4] https://pki.atos.net/Download/Atos_TrustedRoot_CPS_RootCA_v2.7.2.pdf
[5] https://pki.atos.net/Download/Atos_TrustedRoot_CPS_IssuingCAs_v2.7.2.pdf
[6] https://atos.net/en/2016/press-release/general-press-releases_2016_06_03/pr-2016_06_03_01
Thank you,
Chris, on behalf of the CCADB Steering Committee