Considering this is open: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546
I do think that such a temporary grant does not make sense. e-commerce has so far not showed themselves to be a good steward of public trust. What are the implications of e-commerce being distrusted by Mozilla, especially since they can't get their auditors in order? The requirement for the auditors being part of ACAB was made nearly 2 years ago. According to crt.sh, e-commerce has ~150 active certificates. I'm not entirely sure why an exception should be made for them & the auditor they have picked? Thanks, Amir On Tuesday, April 30, 2024 at 5:15:41 PM UTC-4 Ben Wilson wrote: > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your insightful perspectives and opinions. > > Thanks, > > Ben > > > On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) <[email protected]> > wrote: > >> Did you ever hear from them? >> >> On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: >> >>> All, >>> March 1 was the scheduled end of public discussion on this matter. >>> However, I have one unresolved question that I have presented to the CA >>> operator and its audit firm regarding ACAB'c membership (see MRSP section >>> 3.2). As soon as I hear back on that question, I'll provide a summary of >>> the entire discussion here. >>> Thanks, >>> Ben >>> >>> On Friday, February 23, 2024 at 7:36:13 AM UTC-7 >>> [email protected] wrote: >>> >>>> *Preface* >>>> >>>> The only thing that changed is the ownership, and the ownership is >>>> represented by the new management. This only formal change has already >>>> been >>>> notified to the authorities and approved and registered. The rest remains >>>> unchanged. >>>> >>>> e-commerce monitoring GmbH fulfills different trust service >>>> requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program >>>> requirements, remains a member of the European Trust List (EUTL) as before >>>> and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) >>>> and >>>> regularly assessed by a Conformity Assessment Body. >>>> >>>> The management has changed from Hans G. Zeger to Emmanouil Kontos and >>>> Markus Kirchmayr. The takeover of the company includes the taking over of >>>> the existing, trained and trusted staff which results in no changes except >>>> top management. e-commerce monitoring GmbH continues to provide >>>> certification and trust services according to the respective policies. >>>> >>>> It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme >>>> Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully >>>> comply with the Browser/OS Root Store Policies. >>>> >>>> >>>> *Ownership and Governance* >>>> >>>> The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of >>>> e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und >>>> Ausweissysteme >>>> Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD >>>> HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und >>>> Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD >>>> HOLDINGS AG). >>>> >>>> AUSTRIACARD HOLDINGS AG is a publically listed company with >>>> subsidiaries in Europe and the USA (please find more details in the >>>> prospectus on AUSTRIACARD´s website ( >>>> https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf >>>> ) >>>> >>>> Emmanouil Kontos is the Managing Director of the company and authorized >>>> to represent the company solely. Markus Kirchmayr is authorized to >>>> represent the company jointly with Emmanouil Kontos. Both will not take >>>> any >>>> trusted roles in the CA operations. >>>> >>>> e-commerce monitoring GmbH is maintaining the Key Management as well as >>>> the respective roles of Key Manager and Key Custodian through the >>>> existing, >>>> trained and trusted staff >>>> >>>> Major decisions regarding finance and management topics are made by the >>>> Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr >>>> Major decisions regarding operative topics are made by the Managing >>>> Director Emmanouil Kontos in consultation with the key manager. The >>>> decision making structure can be defined as follows: >>>> >>>> · Define the problem or decision that needs to be madeGather >>>> information and options >>>> >>>> · Analyze the information and options >>>> >>>> · Select the best option >>>> >>>> · Plan for implementation >>>> >>>> · Implement the plan >>>> >>>> >>>> *Investment and Budget* >>>> >>>> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >>>> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >>>> classified as “große Kapitalgesellschaft” (large corporation) and >>>> therefore >>>> needs to comply with all regulations of the Austrian GmbHG (limited >>>> liabilities company Act) and UGB (Commercial Code). >>>> >>>> In addition e-commerce monitoring GmbH is therefore part of group of >>>> companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große >>>> Kapitalgesellschaft” (large corporation) and in addition is a listed >>>> company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD >>>> HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz >>>> (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). >>>> >>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with >>>> over 40 years of experience in providing high security solutions, is >>>> maintaining an Information Security Management System as part of the ISO >>>> 27001 framework which is certified and audited on a regular basis. >>>> Furthermore Austria Card has established security policies and process to >>>> comply and be certified according other security standards like ISO 14298 >>>> as well as Payment Card Industry standards PCI CP, PCI DSS and a >>>> qualification management system according to ISO 9001:2015. >>>> >>>> In the interest of fair competition we prefer not to disclose any >>>> strategic, budget or any other internal confidential information. >>>> >>>> >>>> *Community Engagement* >>>> >>>> e-commerce monitoring GmbH is committed to serving a diverse range of >>>> communities, both locally and globally. Further, we strive to create >>>> products and services that meet the needs of various demographics. >>>> Additionally, we prioritize inclusivity and accessibility, ensuring that >>>> our offerings are accessible to individuals from all walks of life. >>>> >>>> e-commerce monitoring GmbH is actively monitoring various legal >>>> information databases, other sources like Certification Authorities and >>>> Trust Service Providers portals by ETSI, the websites of CA Browser Forum >>>> and root store operators as well as participation and exchange of >>>> information with various industry partners through events and projects. >>>> >>>> Additionally, e-commerce monitoring GmbH has established partnerships >>>> with regulatory institutions, security researchers, certification partners >>>> as well as customer relations which pro-actively inform e-commerce >>>> monitoring GmbH regarding significant changes, requirements and risks >>>> concerning security and compliance throughout the whole Web PKI. >>>> >>>> >>>> *Employees* >>>> >>>> e-commerce monitoring GmbH has established policies like “GLOBALTRUST >>>> Certificate Policy” which continue to apply. >>>> >>>> For reference and directions please consult particularly sections 5.2 >>>> Procedural controls and 5.3 Personnel >>>> >>>> >>>> - Most recent: Version 3.2a / 16th February, 2024 controls >>>> https://service.globaltrust.eu/static/globaltrust-certificate-policy.pd >>>> >>>> <https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf> >>>> f >>>> - Prior: Version 3.2 / 19th August 2023: >>>> >>>> https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf >>>> >>>> There is no change to the staff in trusted roles. Employees in trusted >>>> roles remain as they have been. Only the top level management has been >>>> replaced. We are not able to disclose any background information on >>>> individuals. Skills and experience have been audited and, in part, are >>>> known to the Root Program responsible. >>>> >>>> e-commerce monitoring GmbH employs personnel with over 30 years of >>>> experience in cryptography, data protection and in general providing PKI >>>> technology solutions. >>>> >>>> The audited systems implemented by the trusted personnel of e-commerce >>>> monitoring GmbH are fulfilling different trust service requirements from >>>> ISO/IEC, eIDAS / ETSI, CAB Forum to root store policies which additionally >>>> are monitored on a regularly basis both through automated system and >>>> manual >>>> audit processes. >>>> >>>> Further, e-commerce monitoring GmbH monitors CA incidents and other >>>> relevant discussions over the following community groups: >>>> >>>> · Bugzilla platform ( >>>> https://wiki.mozilla.org/CA/Incident_Dashboard) >>>> >>>> · dev-security-policy group hosted by Google ( >>>> https://groups.google.com/a/mozilla.org/g/dev-security-policy) >>>> >>>> · CCADB Public group hosted by Google ( >>>> https://groups.google.com/a/ccadb.org/g/public) >>>> >>>> · CAB Forum mailing lists: >>>> >>>> o https://lists.cabforum.org/mailman/listinfo/netsec >>>> >>>> o https://lists.cabforum.org/mailman/listinfo/public >>>> >>>> o https://lists.cabforum.org/mailman/listinfo/smcwg-public >>>> >>>> o https://lists.cabforum.org/mailman/listinfo/validation >>>> >>>> o https://lists.cabforum.org/mailman/listinfo/servercert-wg >>>> >>>> >>>> *Operational Design and Ongoing GRC Management* >>>> >>>> e-commerce monitoring GmbH are designed, built and maintained according >>>> to the requirements including but not limited to ISO/IEC, eIDAS / ETSI, >>>> CAB >>>> Forum, root store policies as well as the established policies by >>>> GLOBALTRUST. Additionally, these systems have a continuous audit history >>>> carried out by qualified accredited bodies. The most recent RootCA >>>> GLOBALTRUST 2020 has a gapless cradle-to-the-grave audit including a key >>>> ceremony report and EV readiness attestation. >>>> >>>> e-commerce monitoring GmbH maintains extensive public and internal >>>> documentation which additionally has been presented to and audited by the >>>> Austrian supervisory body (RTR/TKK). >>>> >>>> The audited systems enforce various automated controls and tests >>>> including but not limited to pre-issuance linting tests utilizing the >>>> well-known open source tools. >>>> >>>> e-commerce monitoring GmbH has implemented automated monitoring systems >>>> that permanently evaluate the system security parameters, performance, >>>> availability and the resulting quality KPIs of the trusted services. >>>> Deviations from the expected quality KPIs trigger the notification and >>>> remediation process of our trained IT personnel during working hours and >>>> standby. >>>> >>>> Additionally, manual and automated self-audits are carried out on a >>>> quarterly basis against a random percentage of all issued certificates as >>>> required. >>>> >>>> >>>> >>>> *Auditing* >>>> >>>> e-commerce monitoring GmbH will continue to be evaluated by the auditor >>>> “A-SIT Zentrum für sichere Informationstechnologie” – Austria under the >>>> eIDAS / ETSI audit scheme. >>>> >>>> The most recent audit attestation including auditor’s accreditation >>>> scope and team qualification can be found under the provided URl and >>>> follows the ACAB-c template in its most recent version: >>>> https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf >>>> >>>> The most recent eIDAS conformity assessment report can be found here: >>>> https://service.globaltrust.eu/static/conformity-assessment-2023.pdf >>>> >>>> Here is a quick bottom-up way to reproduce the auditor's qualifications: >>>> >>>> >>>> - Accreditation scope A-SIT: >>>> https://akkreditierung-austria.gv.at/overview (see A-SIT) >>>> - Notification of A-SIT as CAB: (Name “Zentrum für sichere >>>> Informationstechnologie – Austria“ Acronym: “A-SIT”) >>>> - Notification of Akkreditierung Austria as NAB: >>>> https://eidas.ec.europa.eu/efda/browse/notification/cab-nab >>>> - Accreditation / “Akkreditierung Austria” at EA: >>>> >>>> https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ >>>> >>>> A-SIT has been recorded as auditor in the CCADB with Audit Firm >>>> Confidence Status as evaluated by Root Store Managers “High” >>>> https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH >>>> <https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH> >>>> >>>> >>>> On Thursday, February 8, 2024 at 1:19:33 PM UTC+1 e-commerce monitoring >>>> wrote: >>>> >>>>> Dear All, >>>>> >>>>> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >>>>> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >>>>> classified as “große Kapitalgesellschaft” (large corporation) and >>>>> therefore >>>>> needs to comply with all regulations of the Austrian GmbHG (limited >>>>> liabilities company Act) and UGB (Commercial Code). >>>>> >>>>> e-commerce monitoring GmbH was taken over as a fully functional and >>>>> independent entity inside the AUSTRIA CARD group of companies. The >>>>> certified policies, processes and commitments of e-commerce monitoring >>>>> GmbH >>>>> continue to apply. >>>>> >>>>> The takeover of the company also includes the taking over of the >>>>> established staff which results in no changes except top management and >>>>> e-commerce monitoring GmbH will continue to adhere and operate according >>>>> to >>>>> the respective policies. >>>>> >>>>> Best regards, >>>>> Daniel >>>>> >>>>> On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote: >>>>> >>>>>> Hi Aaron, >>>>>> >>>>>> On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> e-commerce monitoring GmbH currently has multiple open bugzilla >>>>>>> tickets which have not had any updates from their staff in multiple >>>>>>> months: >>>>>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 >>>>>>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004 >>>>>>> >>>>>> >>>>>> Correct - the questions raised by these incidents still need to be >>>>>> answered. >>>>>> >>>>>> >>>>>>> Does the behavior of the CA being acquired factor into decisions >>>>>>> like this, or just the behavior of the acquiring entity? >>>>>>> >>>>>> >>>>>> The behavior of the entity being acquired and the capabilities and >>>>>> history of the acquiring company are relevant, going back for an >>>>>> unspecified period of time. (Factors to be considered in deciding how >>>>>> far >>>>>> to go back include the nature and severity of any non-compliance and the >>>>>> degree to which any incidents reveal persistent, systemic problems.) >>>>>> >>>>>> >>>>>>> If a distrust conversation were to arise in the future, how do root >>>>>>> programs ensure that bugs filed under previous corporate names are >>>>>>> still >>>>>>> included in the analysis? >>>>>>> >>>>>> >>>>>> We have not experienced a lot of M&A/name-change activity recently. I >>>>>> believe the Mozilla Community has sufficient continuity, institutional >>>>>> memory, and community-based knowledge about the history of CA operators. >>>>>> So, I think this concern can be handled when needed with comments from >>>>>> community members, and changes in the names of CA operators should not >>>>>> require that we create a new tracking solution. (If incidents are >>>>>> sufficiently recent or still have relevance, then we could update the >>>>>> Bugzilla bugs "Summaries" by replacing the name of the previous operator >>>>>> with the name of the new entity when there is a name change or CA >>>>>> operator >>>>>> replacement.) >>>>>> >>>>>> Ben >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Aaron >>>>>>> >>>>>>> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Dear Suchan, >>>>>>>> You make a valid point. However, in this case, I wasn't sure how >>>>>>>> other root stores would be handling this. They may have their own >>>>>>>> processes. Also, the distribution on this list is almost 3x greater >>>>>>>> than on >>>>>>>> the CCADB public list, so I decided to post the discussion here. >>>>>>>> If the other root stores want to have a public discussion of this >>>>>>>> acquisition, then we can start a discussion on CCADB Public, too. >>>>>>>> Sincerely yours, >>>>>>>> Ben >>>>>>>> >>>>>>>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo <[email protected]> wrote: >>>>>>>> >>>>>>>>> While not have knowledge to comment about acquire itself, doesn't >>>>>>>>> this more fit to ccadb mailing list? I thought root store policy >>>>>>>>> about >>>>>>>>> individual root was moved to there >>>>>>>>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성: >>>>>>>>> >>>>>>>>>> All, >>>>>>>>>> >>>>>>>>>> Recently we were advised that e-commerce monitoring GmbH is being >>>>>>>>>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH. >>>>>>>>>> >>>>>>>>>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that >>>>>>>>>> is included in the Mozilla root store. They have advised us of the >>>>>>>>>> following: >>>>>>>>>> >>>>>>>>>> There are no changes to the operation of the CA and RA functions. >>>>>>>>>> >>>>>>>>>> Changes to the corporate structure: >>>>>>>>>> >>>>>>>>>> - New shareholder: >>>>>>>>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. >>>>>>>>>> registered under the number FN 98272v commercial court Vienna >>>>>>>>>> Lamezanstraße 4-8 >>>>>>>>>> 1230 Vienna, Austria >>>>>>>>>> https://www.austriacard.com/ >>>>>>>>>> >>>>>>>>>> - New Management >>>>>>>>>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos >>>>>>>>>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr >>>>>>>>>> old: CEO Hans Zeger >>>>>>>>>> >>>>>>>>>> - Registered headquarter >>>>>>>>>> new: Handelskai 388/621, 1020 Vienna, Austria >>>>>>>>>> old: Redtenbachergasse 20, 1160 Vienna, Austria >>>>>>>>>> >>>>>>>>>> According to section 8.1 of the Mozilla Root Store Policy, “If >>>>>>>>>> the receiving or acquiring company is new to the Mozilla root store, >>>>>>>>>> it >>>>>>>>>> MUST demonstrate compliance with the entirety of this policy. There >>>>>>>>>> MUST be >>>>>>>>>> a public discussion regarding its admittance to the root store. If >>>>>>>>>> Mozilla >>>>>>>>>> reaches a positive conclusion after public discussion, then the >>>>>>>>>> affected >>>>>>>>>> certificate(s) MAY remain in the root store.” >>>>>>>>>> >>>>>>>>>> By this email, I am initiating a four-week public discussion >>>>>>>>>> period, scheduled to close on Friday, 1-March-2024, to allow for at >>>>>>>>>> least >>>>>>>>>> three full weeks of public discussion. The first week (Feb. 5 – 9) >>>>>>>>>> is >>>>>>>>>> intended to give the acquiring company time to address the following >>>>>>>>>> topics: >>>>>>>>>> >>>>>>>>>> · Compliance with the Mozilla Root Store Policy >>>>>>>>>> >>>>>>>>>> · Ownership and governance >>>>>>>>>> >>>>>>>>>> · Investment and budget for CA operations, risk >>>>>>>>>> management, and compliance >>>>>>>>>> >>>>>>>>>> · Community engagement and involvement in industry groups >>>>>>>>>> >>>>>>>>>> · Employee expertise and continuity >>>>>>>>>> >>>>>>>>>> · Operational design and ongoing GRC management >>>>>>>>>> >>>>>>>>>> · Auditors and auditing >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Ben Wilson >>>>>>>>>> >>>>>>>>>> Mozilla Root Store Program >>>>>>>>>> >>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "[email protected]" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com >>>>>>>> >>>>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2ebfe439-adb6-420b-944a-882e2c77bfacn%40mozilla.org.
