March 2016 CA Communication

ACTION #4: In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the CA/Browser Forum's Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI we plan to remove these workarounds, so certificates with these problems will not validate successfully. Please check your systems to see if you are issuing certificates with any of the problems listed below. Select all of the issues in the list below that exist in certificates that chain to your root certificates included in Mozilla's CA Certificate Program that are currently valid or being issued. Update your systems to stop such issuance by June 30, 2016. The Bug Numbers below refer to Bugzilla Bugs.

CA Owner/Response (a) id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth. Workaround to be removed in Bug #982932. (b) DER: default value of OPTIONAL BOOLEAN explicitly encoded. Workaround to be removed in Bug #989518. (c) DER: pathLenConstraint included when cA:False. Workaround to be removed in Bug #985025. (d) Subject CN name information (if present) does not have a corresponding iPAddress or dNSName entry in the subjectAltName extension. Workaround to be removed in Bug #1245280. (e) Non-PrintableString/UTF8String in DNs. Workaround to be removed in Bug #1256071. (f) nameConstraints/subjectAlternativeName encoding mismatches. Workaround to be removed in Bug #1256073. (g) Empty SEQUENCE in OCSP responses. Workaround to be removed in Bug #997994. (h) keyUsage lacking keyEncipherment for certs with RSA keys. Workaround to be removed in Bug #970760; telemetry to be added in Bug #1133562. (i) None of the above Text Input
Grand Total 1 3 0 8 6 0 1 1 45
AC Camerfirma, S.A. (e) We use PrintableString in DN, but BMPString is forced by the application when special characters are found. 200 certificates affected. We are still fixing the problem. We plan to have a solution in a couple of months and make a substitution plan.
Actalis
Amazon Trust Services
Asseco Data Systems S.A. (previously Unizeto Certum)
Atos d) count: 1 certificate created/valid from 12/21/2015 to 12/21/2016
Autoridad de Certificacion Firmaprofesional Although we had answered (c) and (d) in the 2015 Communication, a thorough study reveals that we have never been in the (c) situation, indeed, EJBCA does not allow the combination of ca:False and inclusion of pathLenConstraint. We have audit some certificates, old and new ones and they do not include pathLenConstraint. The mistake is due to how Microsoft certificate visor interprets the absence of this field. On the other hand there are 115 with (d) issue that will be revoked by July, the 1st, 2016
Buypass
Certicámara
Certinomis / Docapost
China Financial Certification Authority (CFCA)
China Internet Network Information Center (CNNIC) None
Chunghwa Telecom
ComSign
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) All of our certificates containing non printablestring characters is issued with teletextstring. The last one of them was issued by 30/9/2015. Therefore the last one will expire by 30/9/2019.
Cybertrust Japan / JCSI
D-TRUST
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe)
Dhimyotis / Certigna
DigiCert
Disig, a.s.
DocuSign (OpenTrust/Keynectis) As of 31st of March 2016, 10755 certificates are concerned by (e). Last issuance date will be 06/30/2016. Last expiration date will be 06/30/2019.
E-Tugra The following root will be expire on 08/14/2016. After that date, it can be removed. Subject/Issuer: EBG Elektronik Sertifika Hizmet Sağlayıcısı Vald To: 08/14/2016 SHA1 Fingerprint: ‎8c 96 ba eb dd 2b 07 07 48 ee 30 32 66 a0 f3 98 6e 7c ae 58
EDICOM
Entrust For item (e), there are approximately 5000 certificates with this issue. As item(e) has not been corrected, the last issuance date could be as late as 30 June 2016 with a maximum expiry time of 30 September 2019. When item (e) is corrected, this information can be updated.
GlobalSign For (e), we do include character encoding other than PrintableString and UTF8 in DN fields. Specifically, we still allow Teletext String in the CN if the user asks for a CN encoded this way. We may also encode other DN fields with Teletext String. We posted a comment in Bugzilla asking for more info: https://bugzilla.mozilla.org/show_bug.cgi?id=1256071
GoDaddy There are 335,000 unexpired, unrevoked certificates with problem (b). The last of these expires on 5/9/2021; however, the last signed with SHA-2 expires 5/1/2019.
Government of France (ANSSI, DCSSI)
Government of Hong Kong (SAR), Hongkong Post, Certizen Will stop issuing SSL certificates without the DNSName entry in the subjectAltName extension on 1 Sep 2016.
Government of Japan, Ministry of Internal Affairs and Communications
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)
Government of Taiwan, Government Root Certification Authority (GRCA)
Government of The Netherlands, PKIoverheid (Logius) The use of the basic constraint extension in end entity certificates is allowed as an optional value in our system per RFC 5280 section 4.2.1.9. Several of our (externally operated) subCA’s have included this value in their end entity certificates. We are currently investigating the amount of certificates concerned, We are in the process of altering our CP with regard to this issue. Our new CP will be effective coming July.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
HARICA
IdenTrust Services, LLC
Izenpe S.A.
Krajowa Izba Rozliczeniowa S.A. (KIR)
Microsec Ltd.
NetLock Ltd.
PROCERT
QuoVadis
RSA the Security Division of EMC
SECOM Trust Systems CO., LTD. (b) 49certificates. Last date issued: September 24, 2014. (d) 86,575 certificates. Last date issued: December 21, 2015 Systems have been updated to prevent issuance of such certs.
SK ID Solutions AS
Sectigo (a) We've previously communicated (see Bug #982292, for example) that we have some existing intermediates with this issue. However, this seems unrelated to the workaround removal in Bug #982932, which is only for "new intermediates". (d) For IDNs, we put the U-label in the Subject CN and the A-label in the SAN dNSName. We believe that these are "corresponding", but we're aware that some folks disagree. However, this seems unrelated to the workaround removal in Bug #1245280.
SecureTrust
Start Commercial (StartCom) Ltd.
SwissSign AG
Swisscom (Switzerland) Ltd
Symantec In Response to (d): Root Number of certs Last Date Issued Last Date Expires GeoTrust Global CA 323 3/24/2016 3/24/2017 VeriSign Class 3 Public Primary Certification Authority - G5 32 3/25/2015 4/3/2018 TC TrustCenter Universal CA I 6 10/31/2013 10/31/2016 thawte Primary Root CA 43 6/12/2013 6/27/2017 In Response to (e): Issuer Common Name Count MAX(valid start) MAX(valid end) GeoTrust EV SSL CA - G4 13337 31-Oct-15 31-Oct-17 GeoTrust Extended Validation SHA256 SSL CA 1047 31-Mar-16 31-May-18 GeoTrust SHA256 SSL CA 1332 31-Mar-16 31-May-18 GeoTrust SSL CA - G3 10740 31-Mar-16 31-Oct-17 GeoTrust DV SSL CA - G3 145 31-Mar-16 31-Mar-19 GeoTrust DV SSL SHA256 CA 27 31-Mar-16 31-Mar-19 Symantec Class 3 DSA SSL CA 1 18-Mar-16 18-Mar-17 Symantec Class 3 ECC 256 bit EV CA - G2 16 26-Oct-15 31-Aug-16 Symantec Class 3 ECC 256 bit Extended Validation CA 16 30-Jun-15 31-Aug-16 Symantec Class 3 ECC 256 bit SSL CA 5 28-Jan-16 26-Jan-17 Symantec Class 3 ECC 256 bit SSL CA - G2 3 29-Mar-16 28-May-17 Symantec Class 3 EV SSL CA - G3 12397 31-Oct-15 31-Oct-17 Symantec Class 3 Extended Validation SHA256 SSL CA 387 31-Mar-16 31-Oct-16 Symantec Class 3 Secure Server CA - G4 17058 31-Mar-16 31-Oct-17 Symantec Class 3 Secure Server SHA256 SSL CA 651 31-Mar-16 31-May-18 thawte EV SSL CA - G3 5158 31-Oct-14 31-Oct-17 thawte Extended Validation SHA256 SSL CA 502 31-Mar-16 31-May-18 thawte SHA256 SSL CA 1752 31-Mar-16 31-May-18 thawte SSL CA - G2 7375 31-Mar-16 31-May-19 thawte DV SSL CA - G2 12577 31-Mar-16 31-Oct-18 thawte DV SSL SHA256 CA 3536 31-Mar-16 31-May-19
T-Systems International GmbH (Deutsche Telekom) the problem [(g) Empty SEQUENCE in OCSP responses. Workaround to be removed in Bug #997994] will be fixed by June 02, 2016.
Taiwan-CA Inc. (TWCA)
Telia Company (formerly TeliaSonera) d) We have stopped this few years ago. We need more time up to 06/30/2016 to find the details.
Trend Micro
Trustis h) KeyUsage will be added to all Certificates with effect from 05/30/2016.
TurkTrust
Visa
WISeKey After verification, we aren't aware of any of such problems.
Web.com For IDNs we put the U-label in the Subject CN and the A-label in the SAN dNSName.
Wells Fargo Bank N.A.
WoSign CA Limited
certSIGN
Grand Total 1 3 0 8 6 0 1 1 45