[Servercert-wg] Suspension of TrustCor Systems

Aaron Gable aaron at letsencrypt.org
Sat Jun 29 05:08:41 UTC 2024


Per the Server Certificate Working Group Charter
<https://cabforum.org/working-groups/server/charter/>, Section 5(c),
membership of a Certificate Issuer is suspended if the issuer is no longer
trusted by any Certificate Consumer member of the group, or if 15 months
have elapsed since the end of its last audit period.

TrustCor was distrusted by Microsoft effective 2022-11-01
<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/NxbhuW-4CgAJ>,
by Mozilla effective 2022-11-30
<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ>,
and by Chrome effective 2023-03-07
<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/PKpJf5W6AQAJ>.
I don't have in-depth knowledge of the trust store contents of this group's
seven other Certificate Consumer members (360, Apple, Brave, Cisco, Comodo,
Opera, and Qikfox), but I suspect that they either never trusted TrustCor's
roots or have subsequently followed suit.

Regardless of TrustCor's root program inclusion status, their last audit
report <https://trustcor.com/static/webtrust/TrustCor-CA-Report-2022.pdf>
disclosed
in CCADB covered a period ending 2022-11-15. (Also, their last disclosed
audit report URL now 404s.) Fifteen months from that date was 2024-02-15.

Thus, I believe TrustCor's membership in this Working Group (and perhaps in
the forum as a whole, depending on other WG membership criteria) should be
suspended.

Thank you,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240628/74ebe476/attachment.html>


More information about the Servercert-wg mailing list