All, The Chrome Root Program Policy <https://www.chromium.org/Home/chromium-security/root-ca-policy/> states that CA certificates included in the Chrome Root Store <https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md> must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors <https://www.chromium.org/Home/chromium-security/root-ca-policy/#7-reporting-and-responding-to-incidents> we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
On numerous instances over the last three years, e-commerce monitoring GmbH fell short of the above expectations (e.g., [1 <https://bugzilla.mozilla.org/show_bug.cgi?id=1716123>],[2 <https://bugzilla.mozilla.org/show_bug.cgi?id=1716163>],[3 <https://bugzilla.mozilla.org/show_bug.cgi?id=1830536>],[4 <https://bugzilla.mozilla.org/show_bug.cgi?id=1862004>],[5 <https://bugzilla.mozilla.org/show_bug.cgi?id=1883711>],[6 <https://bugzilla.mozilla.org/show_bug.cgi?id=1815534>],[7 <https://bugzilla.mozilla.org/show_bug.cgi?id=1888371>],[8 <https://bugzilla.mozilla.org/show_bug.cgi?id=1893546>]). In light of this, we have reached the conclusion that the GLOBALTRUST 2020 <https://crt.sh/?q=9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A> certificates suffer from a loss of integrity and action is required from the perspective of ensuring web security for Chrome users. To safeguard Chrome’s users, we are taking the following action. Upcoming change in Chrome 124 and higher: - TLS server authentication certificates validating to GLOBALTRUST 2020 whose earliest Signed Certificate Timestamp (SCT) is dated after June 30, 2024, will no longer be trusted by default. - TLS server authentication certificates validating to GLOBALTRUST 2020 whose earliest SCT is on or before June 30, 2024, will be unaffected by this change. This approach attempts to minimize disruption to existing e-commerce monitoring GmbH subscribers, using a new <https://source.chromium.org/chromium/chromium/src/+/main:net/cert/root_store.proto;drc=a783c3bab474ff68e675e2753f91c92ca817e072;l=15?q=f:root_store.proto&ss=chromium> Chrome feature to remove default trust based on the SCTs in certificates. Thank you -Chris, on behalf of the Chrome Root Program -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mBK_ARgJ5wVnDXa6FAOJ_V-g0wdwu8dYggHB9%3DO5z5NLg%40mail.gmail.com.
