November 2017 CA Communication

ACTION 1: Review version 2.5 of Mozilla's Root Store Policy. Changes that most likely require CA action:
  • Additional requirements were added for intermediate certificates that are used to sign certificates for S/MIME. In particular, such intermediate certificates must be name constrained in order to be considered technically-constrained and exempt from being audited and disclosed in the Common CA Database. By April 15, 2018, all intermediate certificates (that chain up to root certificates included in Mozilla's program) that are capable of issuing S/MIME certificates but are not name constrained must be either audited and disclosed in the Common CA Database, or be revoked. As of November 15, 2017, CAs must name-constrain all new intermediate certificates that are capable of issuing S/MIME certificates, or those intermediate certificates must be audited and disclosed in the Common CA Database. See Section 3.1.2 of Mozilla's Root Store Policy for details about required audits.
  • Clarified the information that must be provided in each audit statement , including the distinguished name and SHA-256 fingerprint for each root and intermediate certificate in scope of the audit.
  • Our policy on root certificates being transferred from one organization or location to another has been updated and included in the main policy. Trust is not transferable; Mozilla will not automatically trust the purchaser of a root certificate to the level it trusted the previous owner.
Changes that are clarification of previously expected practice or policy:
  • CAs are required to follow industry best practice for securing their networks, for example by conforming to the CA/Browser Forum’s Network Security Guidelines or a successor document.
  • CAs are required to use only those methods of domain ownership validation which are specifically documented in the CA/Browser Forum’s Baseline Requirements version 1.4.1.
  • Clarified that point-in-time audit statements do not replace the required period-of-time assessments. Mozilla continues to require full-surveillance period-of-time audits that must be conducted annually, and successive audit periods must be contiguous.
  • CAs are required to follow and be aware of discussions in the mozilla.dev.security.policy forum, where Mozilla's root program is coordinated, although they are not required to participate.
  • CAs are required at all times to operate in accordance with the applicable Certificate Policy (CP) and Certificate Practice Statement (CPS) documents, which must be reviewed and updated at least once every year.
Please confirm that you have reviewed version 2.5 of Mozilla's Root Store Policy, and that your CA's practices and CP/CPS documents are fully compliant with this version of Mozilla's Root Store Policy.
ACTION 1 COMMENTS Use this space to express concern or qualification about your CA's full compliance with version 2.5 of Mozilla's Root Store Policy.

CA Owner Response Response
AC Camerfirma, S.A. We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Before February 1, 2018 we will publish a new version of our CPS fully compliant with version 2.5 of Mozilla's Root Store Policy
Actalis We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below.
Amazon Trust Services We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We have made all necessary changes to our practices to be in compliance with version of Mozilla's Root Store Policy. We will have our documents updated by the end of Feb 2018.
Asseco Data Systems S.A. (previously Unizeto Certum) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Atos We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Autoridad de Certificacion Firmaprofesional We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our target date is Jan/31/2018.
Buypass We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. The CP/CPS documents will be updated by March 1th 2018.
Certicámara We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We will make all necessary changes to our practices to be in compliance with version of Mozilla's Root Store Policy 2.5. We will have our documents updated by the end of June 2018. We only want the Email trust bit enabled for our new root cert and it's hierachy, that were issued to use SHA256, so we review with Mozilla, that the BR Self-Assessment does not apply, the trust bits we are requesting is only Email (S/MIME).
Certinomis / Docapost We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible : End of January 2018.
China Financial Certification Authority (CFCA) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Chunghwa Telecom We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. In past years, our audit statement included the distinguished name, serial number, issuer name, validity and SHA-1 fingerprint for each root and intermediate certificate that was in scope of the audit. Next year, our audit statement will include the distinguished name, serial number, Issuer Name, validity and SHA-256 fingerprint for each root and intermediate certificate that was in scope of the audit.
ComSign We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our target date is Feb/15/2018.
Cybertrust Japan / JCSI We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our publicly-available document relating to each audit contains SHA-1 fingerprint, but does not contain SHA256 fingerprint of our JCSI root. We will update the document by January 31, 2018.
D-TRUST We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our CA’s practices are fully compliant with the version 2.5 of Mozilla’s Root Store Policy. There is still room for improvement in our CP/CPS documents (e.g. Creative Commons license). We will upload a more recent version of CP/CPS in March 2018 at the latest.
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. Most of version 2.5 of Mozilla's Root Store Policy does not apply anymore, since we do NOT issue new certificates (neither end-entity nor CA certificates). For all previously issued certificates we did and still do comply.
Dhimyotis / Certigna We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
DigiCert We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Disig, a.s. We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
DocuSign (OpenTrust/Keynectis) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
E-Tugra We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below.
EDICOM We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Entrust We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. The Entrust and AffirmTrust CPS documents will be updated by 31 May 2018 to address the folloiwng Mozilla policy sections: 2.1 - update to reference Network Security Guidelines, multi-factor authentication and information reuse policy 2.2 - state specific domain validation procedures 3.2 - update auditor qualifications 5.1.1 - although Entrust/AffirmTrust do not issue SHA-1 certificates, update for clarity 5.2 - update to reference public key exponent requirements 5.3.2 - update to define disclosure of subordinate CAs using CCADB 6 - state frequency of the issuance of OCSP responses
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. Our current audit statementsprovided CN and SHA-1 fingerprints for the intermediate certificates. We will work with our auditor and provide distinguished names and SHA-256 fingerprints for the intermediate certificates within the audit scope in the next audit statements.
GlobalSign We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Target date is January 31 2018
GoDaddy We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Google Trust Services LLC (GTS) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Government of Hong Kong (SAR), Hongkong Post, Certizen We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We are translating the S/Mime policies. Our deadline is February 28, 2018.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Publicy-available documents will be updated in early February 2018
Government of Taiwan, Government Root Certification Authority (GRCA) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. In the audit statement of this year, we included SHA-1 fingerprint of each root and intermediate certificate that was in scope. Next year, our audit statement will include the distinguished name and SHA-256 fingerprint for each root and intermediate certificate that was in scope of the audit.
Government of The Netherlands, PKIoverheid (Logius) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. We use methods of domain ownership validation which are specifically documented in the CA/Browser Forum’s Baseline Requirements version 1.5.2 ( We updated our domain ownership validation methods according to Ballot 190 which has effective date on 19 October 2017.). Since we are a Government CA, our audit is conducted by Regulation Body of Government. They conform with the ETSI audit requirements. There is no gap between our subsequent audit reports.
HARICA We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
IdenTrust Services, LLC We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Both IdenTrust TrustID and ACES SSL/TLS certificates are compliant with Mozilla’s Root Store Policy Ver 2.5 but the Policy documents are missing updates to reflect that fact. We expect to publish approved updated Policy documents for both programs no later than January 31, 2018
Internet Security Research Group (ISRG) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Izenpe S.A. We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Krajowa Izba Rozliczeniowa S.A. (KIR) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. The CP/CPS documents will be updated by March 1th 2018.
LuxTrust We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. The current CP, CPS are fully compliant with Mozilla's Root Store Policy
Microsec Ltd. We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our present practice is fully compliant with the version 2.5 of Mozilla1s Root Store policy, but we need to have the exact reference to these sections in the Baseline Requirements in our CPS document. We validate the Domain Authorization on the following way: In each case we validate the Applicant (natural person) who is the domain owner himself or the authorized representative of the domain owner registered in the DNS record according to the BR ver 1.4.1 section 3.2.2.4.1 We confirm the Applicant's control over the requested FQDN by relying on a Domain Authorization Document according to the BR ver. 1.4.1 section 3.2.2.4.5 We are not using other types of validation methods. The next version of our public documents will contain the exact reference to these BR sections which will be issued by 2018-09-30.
NetLock Ltd. We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. I requested our auditor company to review of the statement. The company will issue fixed statement. (Intermediate and Root Certificate and Crl urls were in the audit statement, instead not fingerprints.)
OISTE We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We need to improve the CPS to reflect the requirements for name constraints on CAs issuing S/MIME (ETA January 2018). We'll ensure compliance with the program on the April 2018 deadline.
QuoVadis We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
SECOM Trust Systems CO., LTD. We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Our current public audit statement provides the SHA-1 fingerprint(thumbprint) linked our repository site. We will make an arrangement with our auditor to provide the SHA256 fingerprint of each root and intermediate certificate within the audit scope in the next audit statements. The audit will be held in June.
SK ID Solutions AS We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
SSL.com We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Sectigo We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
SecureTrust We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
SwissSign AG We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Swisscom (Switzerland) Ltd We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. With this November communication Mozilla has extended the scope of the Root Store Policy to include also certificates that are able to issue email certificates. This extension is currently not yet reflected in all Swisscom CP/CPS. We are currently working to fulfil the new requirements for CAs issuring email certificates and target to have updated CP/CPS and required audits statements by Q1/2018. Swisscom plans to provide an audit statement for all not technically constaint according to chapter 5.3.2 of the Root Store Policy. All our current certificates have already been disclosed.
T-Systems International GmbH (Deutsche Telekom) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We will update the CP/CPS documents until 05/01/2018. We will disclose and audit the technically constrained Sub-CA certificates "Deutsche Telekom AG Issuing CA 01" SN = 0x22c58380932feee6 and "Deutsche Telekom AG Issuing CA 01" SN = 0xeedb860e523b2e43 until May 2018.
Taiwan-CA Inc. (TWCA) We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Telia Company (formerly TeliaSonera) We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. Telia will resign by April 15, 2018 one sub-CA that currently is capable to sign certificates for S/MIME but isn't enrolling those. By removing S/MIME capability Telia can keep this sub-CA as non-disclosed sub-CA. It is used to create only Client auth Certificates for special purposes. Telia has added couple of other SMIME sub-CAs to CCADB which weren't previously there before this new requirement.
TrustCor Systems We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Trustis We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy. We have reviewed version 2.5 of Mozilla's Root Store Policy and understand that it is currently applicable. Whilst currently compliant we will be making changes to the CP/CPS documents to reflect the change of ownership ownership of the the PKI by a new corporate entity.
TurkTrust We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Visa We have reviewed version 2.5 of Mozilla's Root Store Policy, and the current version of our CP/CPS documents are fully compliant with this version of the policy.
Web.com We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. The CP/CPS documents will be updated by March 1, 2018. The SHA2 fingerprint will be included for each root and intermediate in the next audit statement.
certSIGN We have reviewed version 2.5 of Mozilla's Root Store Policy, and understand that it is currently applicable. We will make necessary changes to our CA's practices and CP/CPS documents as soon as possible. -- Indicate target dates below. We will make necessary changes to our CPS until 31 March 2018.