TWCA has a couple of incidents open for revocation delays. I think until this CA can show that it can follow its own CP/CPS and BRs, new trust anchors from that CA should not be accepted into the Mozilla Trust Store. Beyond that looking at the document linked here: https://www.twca.com.tw/upload/saveArea/filePage/20240313/05926332a5cb42bbb70bc7a0c841dff4/05926332a5cb42bbb70bc7a0c841dff4.pdf in section 4.9.2, they seem to not actually include non-subscribers as entities that can request revocation. For example, if some subscriber manages to issue a certificate for a domain I own, and I decide to get that revoked, under this document it doesn't seem like I have the authority to do that.
My objection is that while the CA is showing that they're comfortable ignoring the BRs, they should not be permitted to have additional roots join the trust store. Specifically, on this incident: https://bugzilla.mozilla.org/show_bug.cgi?id=1886110 0 they didn't even understand what revocation actually entails. I'll go even further that Mozilla should consider a motion of distrust on this CA rather than extending trust to them even further than it already has - but that is a discussion for another thread. On Tuesday, June 4, 2024 at 6:41:06 PM UTC Ben Wilson wrote: > Greetings, > > Public discussion regarding inclusion of the TWCA CYBER Root CA (websites > trust bit with EV) and the TWCA Global Root CA G2 (email trust bit) began > on the CCADB Public List on April 22, 2024 ( > https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/vqn7iTHEAwAJ) > and concluded recently ( > https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/eapyrQcjBgAJ > ). > > > > Additional details concerning this request may be found in the > above-referenced discussions, in Bugzilla #1849702 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1849702>, and in CCADB Case > Number *00001244 > <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001244>* > . > > > The inclusion process is outlined here: > https://wiki.mozilla.org/CA/Application_Process#Process_Overview. > Additional information about application review may be found here: > https://wiki.mozilla.org/CA/Application_Verification. > > > This is Mozilla's notice of intent to approve Taiwan CA’s root inclusion > request. > > > > This begins a 7-day “last call” period for any final objections. > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a7b05c98-8915-4602-bc3c-bb1a6ba94188n%40mozilla.org.
