On November 1, 2023, we began a six-week, public discussion [1] on the request from Deutsche Telekom Security for inclusion of its root certificate(s):
- Telekom Security SMIME ECC Root 2021 - Telekom Security TLS ECC Root 2020 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS RSA Root 2023 The public discussion period ended on December 13, 2023. Note: the Summary of Discussion below includes an item that was stated after the public discussion period ended and as of the time of this message does not include a response from Deutsche Telekom Security. Deutsche Telekom Security can still respond to this item, if desired. ========================== Summary of Discussion Discussion Item #1: Clarification was sought regarding the applicant's organizational structure and CA management. Deutsche Telekom Security Response to Discussion Item #1: Deutsche Telekom confirmed that the root CA certificates in the inclusion request are fully managed by Deutsche Telekom Security GmbH [2]. The organizational structure was defined [3] as: - Deutsche Telekom AG is the Group’s parent company - Deutsche Telekom Security GmbH is a 100% subsidiary of Deutsche Telekom AG - T-Systems International GmbH is a 100% subsidiary of Deutsche Telekom AG Discussion Item #2 [after the public discussion period ended]: A perspective was shared that the content and delivery of a past incident report was worrisome [4]. ========================== We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP). Thank you, -Chris, on behalf of the CCADB Steering Committee [1] https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/JsbbxpZJBAAJ [2] https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/dsHfRRZXBQAJ [3] https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/JD8quX3nBAAJ [4] https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/cHCi1jjjAwAJ On Mon, Dec 18, 2023 at 3:06 PM Amir Omidi (aaomidi) <[email protected]> wrote: > I understand that the period for discussion has closed, but I'd like to > offer my $0.02 anyway. > > I find the incident response in > https://bugzilla.mozilla.org/show_bug.cgi?id=1825780 both lacking in > detail, and adversarial in nature. Telekom's response to this incident > makes me weary of accepting them into the pool of CAs. > > > We determined that the validation of the de-domains could be trusted > because the validation was carried out in a secure process directly with > DENIC, i.e. the central registry for all de-domains. > > I'm worried that this shows a pattern of internal behavior that is at odds > with public trust and being a public CA. And a set of behavior that ignores > the accepted methods for domain validation. > > Thanks, > Amir > On Wednesday, December 6, 2023 at 9:56:38 AM UTC-5 Chris Clements wrote: > >> All, >> >> This is a reminder that the public discussion period on the inclusion >> application of Deutsche Telekom Security GmbH will close on Wednesday, >> December 13, 2023. >> >> Thank you, >> -Chris, on behalf of the CCADB Steering Committee >> >> On Mon, Nov 6, 2023 at 2:51 AM <[email protected]> wrote: >> >>> Hi Moudrick, >>> >>> >>> >>> yes, these Root-CAs that are the subject of this Root Inclusion Request >>> are fully managed by Deutsche Telekom Security GmbH. >>> >>> >>> >>> Greetings >>> >>> >>> >>> Stefan >>> >>> >>> >>> *Von:* Moudrick M. Dadashov <[email protected]> >>> *Gesendet:* Freitag, 3. November 2023 20:50 >>> *An:* Kirch, Stefan <[email protected]>; [email protected] >>> *Cc:* FMB TrustCenter-Roots <[email protected]> >>> *Betreff:* RE: AW: Public Discussion of Deutsche Telekom Security CA >>> Inclusion Request >>> >>> >>> >>> Thank you, Stefan. >>> >>> >>> >>> Do I understand correctly that, despite of the organisational structure >>> and the relationship between the group members, this CA is fully managed by >>> Deutsche Telekom Security GmbH? >>> >>> >>> >>> Thanks, >>> >>> M.D. >>> >>> >>> >>> Sent from my Galaxy >>> >>> >>> >>> >>> >>> -------- Original message -------- >>> >>> From: [email protected] >>> >>> Date: 11/2/23 15:29 (GMT+02:00) >>> >>> To: [email protected] >>> >>> Cc: [email protected] >>> >>> Subject: AW: Public Discussion of Deutsche Telekom Security CA Inclusion >>> Request >>> >>> >>> >>> Hi, >>> >>> >>> >>> For our answer we assume that "Deutsche Telekom AG" is meant rather than >>> "Deutsche Telekom GmbH" (such a company does not exist). >>> >>> The relationship is as follows: >>> >>> - Deutsche Telekom AG is the Group’s parent company >>> >>> - Deutsche Telekom Security GmbH is a 100% subsidiary of Deutsche >>> Telekom AG >>> >>> - T-Systems International GmbH is a 100% subsidiary of Deutsche Telekom >>> AG >>> >>> >>> >>> With regard to the publicly trusted certificates, T-Systems >>> International GmbH was the owner of the Root CA certificates as well as the >>> operator of all Sub CAs of the Deutsche Telekom Group until 2020. >>> >>> With the establishment of Deutsche Telekom Security GmbH in 2020, >>> ownership of the Root CAs as well as operation of the Sub CAs of the >>> Deutsche Telekom Group were transferred internally from T-Systems >>> International GmbH to Deutsche Telekom Security GmbH. >>> >>> As the transfer also included all employees concerned, and operations >>> continued at the same physical locations under the same conditions, the >>> change mainly only took place on paper, with the name "T-Systems >>> International GmbH" being replaced by "Deutsche Telekom Security GmbH" in >>> the relevant documents and contracts. >>> >>> >>> >>> Regarding the change of the Root ownership see also >>> >>> >>> https://groups.google.com/g/mozilla.dev.security.policy/c/pOu_jWY0SVY/m/2uLyuK4TAwAJ >>> >>> >>> >>> >>> Greetings >>> >>> >>> >>> Stefan >>> >>> >>> >>> *Von:* [email protected] <[email protected]> *Im Auftrag von *Moudrick M. >>> Dadashov >>> *Gesendet:* Mittwoch, 1. November 2023 19:39 >>> *An:* Ryan Dickson <[email protected]>; public <[email protected]> >>> *Betreff:* RE: Public Discussion of Deutsche Telekom Security CA >>> Inclusion Request >>> >>> >>> >>> Thank you. I’m trying to understand the organisational structure of the >>> applicant. >>> >>> >>> >>> Could someone please introduce us the relationship between Deutsche >>> Telekom GmbH, Deutsche Telekom Security GmbH and T-Systems International >>> GmbH? >>> >>> >>> >>> Specifically I’m interested to understand their roles within the CA >>> operations. >>> >>> >>> >>> Thanks, >>> >>> M.D. >>> >>> >>> >>> >>> >>> Sent from my Galaxy >>> >>> >>> >>> >>> >>> -------- Original message -------- >>> >>> From: 'Ryan Dickson' via CCADB Public <[email protected]> >>> >>> Date: 11/1/23 15:08 (GMT+02:00) >>> >>> To: public <[email protected]> >>> >>> Subject: Public Discussion of Deutsche Telekom Security CA Inclusion >>> Request >>> >>> >>> >>> All, >>> >>> >>> >>> This email commences a six-week public discussion of Deutsche Telekom >>> Security’s request to include the following CA certificates as publicly >>> trusted root certificates in one or more CCADB Root Store Member’s program. >>> This discussion period is scheduled to close on *December 13, 2023*. >>> >>> >>> >>> The purpose of this public discussion process is to promote openness and >>> transparency. However, each Root Store makes its inclusion decisions >>> independently, on its own timelines, and based on its own inclusion >>> criteria. Successful completion of this public discussion process does not >>> guarantee any favorable action by any root store. >>> >>> >>> >>> Anyone with concerns or questions is urged to raise them on this CCADB >>> Public list by replying directly in this discussion thread. Likewise, a >>> representative of the applicant must promptly respond directly in the >>> discussion thread to all questions that are posted. >>> >>> >>> >>> *CCADB Case Number: *00001269 >>> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001269> >>> >>> >>> >>> *Organization Background Information (listed in CCADB):* >>> >>> · *CA Owner Name:*Deutsche Telekom Security GmbH >>> >>> · *Website: *https://www.telesec.de/ >>> >>> · *Address: *Untere Industriestrasse 20, Netphen, 57250 Germany >>> >>> · *Problem Reporting Mechanisms: * >>> https://www.telesec.de/en/kontakt-en >>> >>> · *Organization Type: *Private Corporation >>> >>> o Deutsche Telekom Security is a subsidiary of Deutsche Telekom AG >>> >>> · *Repository URL: >>> https://www.telesec.de/en/service/downloads/pki-repository/ >>> <https://www.telesec.de/en/service/downloads/pki-repository/>* >>> >>> >>> >>> *Certificates Requesting Inclusion:* >>> >>> *1.* *Telekom Security SMIME ECC Root 2021:* >>> >>> o Certificate download links: (CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_SMIME_ECC_Root_2021.cer>, >>> crt.sh >>> <https://crt.sh/?sha256=3AE6DF7E0D637A65A8C81612EC6F9A142F85A16834C10280D88E707028518755> >>> ) >>> >>> o Use cases served/EKUs: >>> >>> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >>> >>> o Test websites: N/A (S/MIME CA) >>> >>> >>> >>> *2.* *Telekom Security TLS ECC Root 2020: * >>> >>> o Certificate download links: (CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_ECC_Root_2020.cer>, >>> crt.sh >>> <https://crt.sh/?sha256=578AF4DED0853F4E5998DB4AEAF9CBEA8D945F60B620A38D1A3C13B2BC7BA8E1> >>> ) >>> >>> o Use cases served/EKUs: >>> >>> § Server Authentication 1.3.6.1.5.5.7.3.1 >>> >>> § Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> o Test websites: >>> >>> § Valid: https://active.tstlser20.test.telesec.de/ >>> >>> § Revoked:https://revoked.tstlser20.test.telesec.de/ >>> >>> § Expired: https://expired.tstlser20.test.telesec.de/ >>> >>> >>> >>> *3.* *Telekom Security SMIME RSA Root 2023:* >>> >>> o Certificate download links: (CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_SMIME_RSA_Root_2023.cer>, >>> crt.sh >>> <https://crt.sh/?sha256=78A656344F947E9CC0F734D9053D32F6742086B6B9CD2CAE4FAE1A2E4EFDE048> >>> ) >>> >>> o Use cases served/EKUs: >>> >>> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >>> >>> § Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> o Test websites: N/A (S/MIME CA) >>> >>> >>> >>> *4.* *Telekom Security TLS RSA Root 2023:* >>> >>> o Certificate download links: (CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_RSA_Root_2023.cer>, >>> crt.sh >>> <https://crt.sh/?sha256=EFC65CADBB59ADB6EFE84DA22311B35624B71B3B1EA0DA8B6655174EC8978646> >>> ) >>> >>> o Use cases served/EKUs: >>> >>> § Server Authentication 1.3.6.1.5.5.7.3.1 >>> >>> § Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> o Test websites: >>> >>> § Valid: https://active.tstlsrr23.test.telesec.de/ >>> >>> § Revoked: https://revoked.tstlsrr23.test.telesec.de/ >>> >>> § Expired: https://expired.tstlsrr23.test.telesec.de/ >>> >>> >>> >>> *Existing Publicly Trusted Root CAs from Deutsche Telekom Security:* >>> >>> *1.* *T-TeleSec GlobalRoot Class 2:* >>> >>> o Certificate download links: CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/T-TeleSec_GlobalRoot_Class_2.cer>, >>> crt.sh >>> <https://crt.sh/?q=91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552> >>> >>> o Use cases served/EKUs: >>> >>> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 >>> >>> § Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >>> >>> § Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> o Certificate Corpus: here >>> <https://search.censys.io/search?resource=certificates&q=parsed.extensions.authority_key_id%3A+bf5920360079a0a0226b8cd5f261d2b82ccb824a> >>> (requires Censys account) >>> >>> o Included in: Apple, Chrome, Microsoft, Mozilla >>> >>> *2.* *T-TeleSec GlobalRoot Class 3:* >>> >>> o Certificate download links: CA Repository >>> <https://www.telesec.de/assets/downloads/PKI-Repository/T-TeleSec_GlobalRoot_Class_3.cer>, >>> crt.sh >>> <https://crt.sh/?q=FD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD> >>> >>> o Use cases served/EKUs: >>> >>> § Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; >>> >>> § Client Authentication 1.3.6.1.5.5.7.3.2 >>> >>> o Certificate Corpus: here >>> <https://search.censys.io/search?resource=certificates&q=parsed.extensions.authority_key_id%3A+b503f7763b61826a12aa1853eb032194bffececa> >>> (requires Censys account) >>> >>> o Included in: Apple, Chrome, Microsoft, Mozilla >>> >>> >>> >>> *Relevant Policy and Practices Documentation: * >>> >>> · Certificate Policy - v. 4.0 (Sept. 1, 2023), >>> https://www.telesec.de/assets/downloads/PKI-Repository/Telekom-Security-CP-EN-V4.0.pdf >>> >>> >>> · Certification Practices Statement - v. 6.0 (Sept. 1, 2023), >>> https://www.telesec.de/assets/downloads/PKI-Repository/Telekom-Security-CPS-Public-EN-V6.0.pdf >>> >>> >>> >>> >>> *Most Recent Self-Assessment:* >>> >>> · >>> https://www.telesec.de/assets/downloads/2023-08-28_Telekom_Security_CCADB_Self_Assessment_Framework_v1.2.xlsx >>> >>> >>> >>> >>> *Audit Statements:* >>> >>> · Auditor: TÜV Informationstechnik GmbH >>> >>> · Audit Criteria: ETSI EN 319 411-1 V1.3.1 (2021-05); ETSI EN >>> 319 411-2, V2.4.1 (2021-11) >>> >>> · Date of Audit Letter Issuance: June 21, 2023 >>> >>> · For Period of Time: April 8, 2022, through April 7, 2023 >>> >>> · Audit Statement(s): >>> >>> o >>> https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023062101_Telekom_Security_2023_V1.0.pdf >>> >>> >>> >>> *Incident Summary (Bugzilla incidents from previous 24 months):* >>> >>> · Improper use of a domain validation method (Bugzilla Bug >>> #1825780 <https://bugzilla.mozilla.org/show_bug.cgi?id=1825780>) >>> >>> >>> >>> >>> >>> Thanks, >>> >>> Ryan, on behalf of the CCADB Steering Committee >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CCADB Public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_%3DkLcjqCLTj-XsBzVt94JgD0zA-HYfx9G711QVEr6HYQ%40mail.gmail.com >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_%3DkLcjqCLTj-XsBzVt94JgD0zA-HYfx9G711QVEr6HYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CCADB Public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/65429b46.050a0220.5dfd6.649f%40mx.google.com >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/65429b46.050a0220.5dfd6.649f%40mx.google.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CCADB Public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB1506278DF4FD5DE3D887974FFAA6A%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB1506278DF4FD5DE3D887974FFAA6A%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CCADB Public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB15064D740925362E1595C9A7FAAAA%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/BE1P281MB15064D740925362E1595C9A7FAAAA%40BE1P281MB1506.DEUP281.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mASpPxXffcGnwuLyFaxGkBbMYc_TpoKXGJv80aR9J%2BxGg%40mail.gmail.com.
