As you might know, browsers have decided to remove e-commerce monitoring GmbH (ECM) with its Root Certificate "GLOBALTRUST 2020" from their Root Programs as of June 30, 2024. Certificates issued before this date will retain their full validity.
The reasons for the removal have been comprehensively discussed Bugzilla forum. We acknowledged and accepted the decision. We have identified the shortcomings in our processes, particularly related to reaction time. Consequently, we are taking these issues very seriously and are committed to address them. An action plan is being rolled out to restructure our Certificate Authority (CA) functions. Our goal is to be included again in the Root Programs. ECM’s shareholder, AUSTRIA CARD, is committed to regains full compliance with the Browser/OS Root Store Policies. This commitment, which is strongly supported by our recently changed management, underscores our dedication to maintaining the widest compatibility and coverage. As an immediate action, and until full remediation, ECM has ceased the issuance of TLS certificates according to the CA/Browser Forum Requirements. TLS certificates will be provided solely based on Regulation (EU) No 910/2014, Annex IV, as recently amended by Regulation (EU) 2024/1183 (“QWACs”). Certificates for interoperability testing purposes are excluded from this decision. ECM, with its product lines GLOBALTRUST and TRUST2GO, is a Qualified Trust Service Provider (QTSP) according to EU eIDAS regulation and is under continuous supervision by the Austrian regulatory authority (RTR/TKK). Our activities are regularly evaluated by an accredited conformity assessment body based on numerous standards (e.g., eIDAS, ETSI), which include comprehensive logical, physical, and organizational security measures. Our goal is to rebuild trust and demonstrate our commitment to upholding the highest standards in our industry. For inquiries, please contact the Compliance & Product Management team, Attn: Mr. Daniel Zens, at [email protected] On Tuesday, May 7, 2024 at 9:24:17 PM UTC+2 Amir Omidi (aaomidi) wrote: > I just wanted to point out that e-commerce's communication is still > very-very delayed: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546#c1, > https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c9 > > I think e-commerce is getting into the territory where we should really > consider if they're a healthy member of the Mozilla root store. > > *Does anyone have any arguments on why e-commerce shouldn't be fast > tracked to removal from root stores?* I know in the future we probably > need to define certain criteria on how to handle non-responsive CAs such as > this. But I don't think we should wait until such a document is prepared > before taking action. > > On Friday, May 3, 2024 at 9:12:19 AM UTC-4 Wayne wrote: > >> Hi Andrew, >> >> I was looking at https://globaltrust.eu/certificate-policy/ and the >> 'GLOBALTRUST >> 2015 SERVER OV 2' entry which includes a list of test servers. I can see >> there is a different list of test servers listed higher on the page, and >> 2020 functions correctly, but 2015 has the same issue (from the 'Testserver >> SSL-Zertifikate' heading): >> >> GLOBALTRUST 2015 gültiges Zertifikat >> https://testok-2015-server-qualified-1.e-monitoring.at >> GLOBALTRUST 2015 abgelaufenes Zertifikat >> https://testold-2015-server-qualified-1.e-monitoring.at >> GLOBALTRUST 2015 widerrufenes Zertifikat >> https://testrevoked-2015-server-qualified-1.e-monitoring.at >> >> This seems to have been an abandoned practice by globaltrust and the >> entries are inconsistent on whether they have any listed. >> >> - Wayne >> On Friday, May 3, 2024 at 1:59:59 PM UTC+1 Andrew Ayer wrote: >> >>> Hi Wayne, >>> >>> On Fri, 3 May 2024 04:29:15 -0700 (PDT) >>> Wayne <[email protected]> wrote: >>> >>> > They don't list valid/expired/revoked domains for all of their >>> > sub-CAs >>> >>> CAs are only required to provide one set of test websites per root, not >>> for every sub-CA. >>> >>> > and even the ones they do are running on the same wildcard >>> > covering: >>> > >>> > DNS:timestamp.globaltrust.eu >>> > DNS:*.globaltrust.eu >>> > DNS:*.globaltrust.at >>> > DNS:*.globaltrust.info >>> > DNS:*.a-cert.at >>> > DNS:*.e-monitoring.at >>> > >>> > See: https://crt.sh/?id=9532011580 >>> >>> Where are you seeing this disclosed as a test website certificate? The >>> disclosures that I see in the CCADB for GLOBALTRUST's Mozilla-trusted >>> root are: >>> >>> https://testok-2020-server-qualified-ev-1.e-monitoring.at/ >>> https://testold-2020-server-qualified-ev-1.e-monitoring.at/ >>> https://testrevoked-2020-server-qualified-ev-1.e-monitoring.at/ >>> >>> Those all look correct to me. >>> >>> Regards, >>> Andrew >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cf40cdeb-e222-4707-9b4f-7f9f24546ac0n%40mozilla.org.
