Thomas, I'm going to put this back into your queue... It may be unfortunate coincidence, but I'm concerned about the cluster (see list below) of recent issues having to do with SSL.com relationships with other CAs and resellers. Please do a very thorough review of all of your resellers, re-branded intermediate CAs, and cross-signing relationships with other CAs. And report back here with a public-facing summary of your findings and any resolutions. 1) Bug #1815355 - Asseco Data Systems cross-signed a non-EV SSL.com root, mistakenly making it EV-capable -- [lessons learned](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/r-BXhsxFKUc/m/1QCZypVEAwAJ) 2) Bug #1801345 - Breach of e-Tugra systems that were reselling certificates through a branded intermediate certificate operated by SSL.com. 3) [Discussion in MDSP](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys/m/4ud8GnssAQAJ) - SSL.com discovered that reseller QUANTUM CA LIMITED had dissolved on November 1, 2022, and not notified SSLcom. I will wait for a report of your results before making a determination about this root inclusion request.
Bug 1799533 Comment 19 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thomas, I'm going to put this back into your queue... It may be unfortunate coincidence, but I'm concerned about the cluster (see list below) of recent issues having to do with SSL.com relationships with other CAs and resellers. Please do a very thorough review of all of SSL.com's resellers, re-branded intermediate CAs, and cross-signing relationships with other CAs. And report back here with a public-facing summary of your findings and any resolutions. 1) Bug #1815355 - Asseco Data Systems cross-signed a non-EV SSL.com root, mistakenly making it EV-capable -- [lessons learned](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/r-BXhsxFKUc/m/1QCZypVEAwAJ) 2) Bug #1801345 - Breach of e-Tugra systems that were reselling certificates through a branded intermediate certificate operated by SSL.com. 3) [Discussion in MDSP](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys/m/4ud8GnssAQAJ) - SSL.com discovered that reseller QUANTUM CA LIMITED had dissolved on November 1, 2022, and not notified SSLcom. I will wait for a report of your results before making a determination about this root inclusion request.
Thomas, I'm going to put this back into your queue... It may be unfortunate coincidence, but I'm concerned about the cluster (see list below) of recent issues having to do with SSL.com relationships with other CAs and resellers. Please do a very thorough review of all of SSL.com's resellers, re-branded intermediate CAs, and cross-signing relationships with other CAs. And report back here with a public-facing summary of your findings and any resolutions. 1) Bug #1815355 - Asseco Data Systems cross-signed a non-EV SSL.com root, mistakenly making it EV-capable -- [lessons learned](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/r-BXhsxFKUc/m/1QCZypVEAwAJ) 2) Bug #1801345 - Breach of e-Tugra systems that were reselling certificates through a branded intermediate certificate operated by SSL.com. 3) [Discussion in MDSP](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys/m/4ud8GnssAQAJ) - SSL.com discovered that reseller QUANTUM CA LIMITED had dissolved on November 1, 2022, and not notified SSL.com. I will wait for a report of your results before making a determination about this root inclusion request.