A root inclusion request has been submitted by Internet Security Research Group (Let’s Encrypt). This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (see https://wiki.mozilla.org/CA/Application_Process#Process_Overview (Steps 4 through 9) to add the ISRG Root X2 (EC secp384r1) to the root store in order for Let's Encrypt to be able to provide a full chain with ECDSA support.
The application has been tracked in the CCADB and in Bugzilla as follows:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000749
https://bugzilla.mozilla.org/show_bug.cgi?id=1701317
Mozilla is considering approving ISRG’s inclusion request. This email begins a 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Root Certificate Information:
ISRG Root X2
https://crt.sh/?q=69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470
Download – https://letsencrypt.org/certs/isrg-root-x2.pem
CP/CPS:
The current CP and CPS were published August 20, 2021 –
CP- https://letsencrypt.org/documents/isrg-cp-v3.1/
CPS- https://letsencrypt.org/documents/isrg-cps-v4.1/
Most Recent CP/CPS review - https://bugzilla.mozilla.org/show_bug.cgi?id=1701317#c8
Repository location: https://letsencrypt.org/repository/
Audits:
ISRG’s WebTrust auditor is Schellman & Company, LLC. ISRG’s last audit report was dated October 2,
2020.
The 2020 WebTrust audits (PDF) may be downloaded here:
Standard - https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247931
BR - https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=247932
ISRG incidents since January 1, 2020, include the following:
Fixed |
||
Fixed |
||
Failure to revoke key-compromised certificates within 24 hours |
Fixed |
|
Failure to revoke key-compromised certificates within 24 hours |
Fixed |
|
Failure to revoke key-compromised certificate within 24 hours |
Fixed |
|
Fixed |
||
Fixed |
||
302 total OCSP responses available beyond acceptable timelines |
Fixed |
|
Fixed |
||
Open |
||
Open |
||
Open |
Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 11-October-2021.
A representative of ISRG/Let’s Encrypt must promptly respond directly in the discussion thread to all questions that are posted.
Sincerely yours,
Ben Wilson
Mozilla Root Program
On September 20, 2021, we began a three-week public discussion[1] on a request from ISRG/Let’s Encrypt for inclusion of its ECDSA root certificate, the ISRG Root X2.[2] (Step 4 of the Mozilla Root Store CA Application Process[3]).
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
Today I closed bug #1729567 (Delay updating OCSP responses) because ISRG has, among other improvements, updated its internal monitoring and alerting to ensure maintenance of timely OCSP responses. (ISRG had served OCSP responses which had not been updated in the previous 4 days, in violation of the Baseline Requirements, Section 4.9.10.)
ISRG currently has the following remaining bugs open:
We did not receive any objections or other questions or comments in opposition to ISRG’s request. I do not believe that the issues listed above merit a delay in Mozilla’s approval decision, and any further discussion of these issues can take place in their respective Bugzilla bugs.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve ISRG’s/Let’s Encrypt’s request (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/bE_aRuWxCAAJ
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1701317
[3] https://wiki.mozilla.org/CA/Application_Process#Process_Overview