November 2017 CA Communication

ACTION 4: Work with your auditors to make sure you are getting full period-of-time audits (with no time gaps) and that your audit statements contain all of the required information. It is your responsibility, as the CA, to ensure that you have the appropriate audits performed and receive public-facing audit statements that meet Mozilla's requirements. As stated in Mozilla’s April 2017 CA Communication and Mozilla’s Root Store Policy audit statements/letters must meet the following requirements or Mozilla will reject the audit statements. These requirements apply to ETSI and WebTrust audit statements. CAs without proper and current audit statements will be put on notice and potentially removed from Mozilla’s Root Store. Additionally, audit statements must be provided in English from now on. As a reminder, here is what Mozilla’s Root Store Policy says: “Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually. Successive audits MUST be contiguous (no gaps). .... The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: - name of the company being audited; - name and address of the organization performing the audit; - Distinguished Name and SHA256 fingerprint of each root and intermediate certificate that was in scope; - audit criteria (with version number) that were used to audit each of the certificates; - a list of the CA policy documents (with version numbers) referenced during the audit; - whether the audit is for a period of time or a point in time; - the start date and end date of the period, for those that cover a period of time; - the point-in-time date, for those that are for a point in time; - the date the report was issued (which will necessarily be after the end date or point-in-time date); and - For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers). “ The above listed information MUST be provided by the auditor in each audit statement or its accompanying letter. If the information is provided in an accompanying letter, then the PDF file that is submitted to Mozilla must contain BOTH the audit statement and the letter. Please indicate your CA’s understanding that each audit statement/letter provided to Mozilla must be in English and must meet the requirements of Mozilla’s Root Store Policy, specifically stating the information listed above. Otherwise Mozilla will reject the audit statement, and put the CA on notice for being out of compliance, which may result in the CA’s root certificate(s) being removed from our program.
ACTION 4 COMMENTS Use this space to express concern or qualifications about your response regarding content that MUST be included in audit statements/letters.

CA Owner Response Response
AC Camerfirma, S.A. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Actalis Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Amazon Trust Services Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Asseco Data Systems S.A. (previously Unizeto Certum) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Atos Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Autoridad de Certificacion Firmaprofesional Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Buypass Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Certicámara Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. We will require to our audit reviewer that the future audit statements will include the distinguished name , serial number, issuer name, validity and SHA-256 fingerprint for each root and intermediate certificate that was in scope of the audit, also to include literally the review of the applicable standards to our hierarchy, in the understanding that we only issue certificates with Email trust bit enabled - Email (S/MIME).
Certinomis / Docapost Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
China Financial Certification Authority (CFCA) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Chunghwa Telecom Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. In the audit statement of this year, we included distinguished name, serial number, Issuer Name and SHA-1 fingerprint of each root and intermediate certificate that was in scope. Next year, our audit statement will include the distinguished name , serial number, issuer name, validity and SHA-256 fingerprint for each root and intermediate certificate that was in scope of the audit.
ComSign Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Cybertrust Japan / JCSI Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Audit statement we provided last time contains no SHA256 fingerprint of our root. We will conduct next audit by March 31, 2018.and make the audit statements include the SHA256 fingerprint.
D-TRUST Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. We recomment to use the new audit template from TUVIT as mandatory for ETSI based audits.
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Dhimyotis / Certigna Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
DigiCert Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Distinguished Names of CAs issued at the time of our last annual audit (period ending March 31, 2017) were listed in that audit. The SHA256 fingerprint of each root and intermediate certificates that were in scope of the audit were not listed in the audit attestation letter or the audit statement for such audit. It will be added in future WebTrust for CAs audit documentation (April 2018).
Disig, a.s. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
DocuSign (OpenTrust/Keynectis) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
E-Tugra Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
EDICOM Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Entrust Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. No comments.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. We will work with our auditor to make sure that our audit statements contain all of the above required information.
GlobalSign Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. GlobalSign's current audit statement lists SHA-1 Thumbprint instead of SHA256 Thumbprint. We have SHA-256 Thumbprint ready to be submitted to External Auditors for period ending March 31 2018 and have communicated above requirements to external auditor. "Distinguished Name and SHA256 fingerprint of each root and intermediate certificate that was in scope;" SHA-1 Thumbprint only
GoDaddy Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Google Trust Services LLC (GTS) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. The audit statements of Google Trust Services comply with the above statement requirements with the exception of the SHA256 fingerprints. We will instruct our auditors to include them in all future reports they issue to us.
Government of Hong Kong (SAR), Hongkong Post, Certizen Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Government of Taiwan, Government Root Certification Authority (GRCA) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Some CA's that did not issue SSL certificates only provide the audit statements in Chinese this year. Next yesr, we will provide all in Englich.
Government of The Netherlands, PKIoverheid (Logius) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
HARICA Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
IdenTrust Services, LLC Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Internet Security Research Group (ISRG) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Izenpe S.A. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Krajowa Izba Rozliczeniowa S.A. (KIR) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
LuxTrust Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Our audit attestation letter contains these informations except SHA-2 fingerprint since last annual was performed before the current requirements. SHA-2 fingerprint will be included in the next attestation letter.
Microsec Ltd. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Our new attestation letters fulfil the above requirements
NetLock Ltd. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. I requested our auditor company to review of the statement. The company will issue fixed statement. (Intermediate and Root Certificate and Crl urls were in the audit statement, instead not fingerprints.)
OISTE Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Current audit reports include only the SHA-1 Fingerprint, we'll ensure that the SHA-256 one is included in any future report, and we'll also update the CPS to reflect these details.
QuoVadis Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
SECOM Trust Systems CO., LTD. Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
SK ID Solutions AS Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
SSL.com Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Sectigo Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
SecureTrust Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
SwissSign AG Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Swisscom (Switzerland) Ltd Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. Swisscom will provide audit confirmations with the required information. Please note that, as Swisscom discontinued the issuing of website certificates and now falls under the new policy requirements for e-mail issung CAs (added just before Novemver 2017 communication in Root Store Policy), the periodicity of the provided audit statements will change from August-August to (probably) November-November. The resulting gap is due to the change in policy, as for a time, there was no requirement to provide audit statements for CAs issuing e-mail certificates.
T-Systems International GmbH (Deutsche Telekom) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Taiwan-CA Inc. (TWCA) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Telia Company (formerly TeliaSonera) Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
TrustCor Systems Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Trustis Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
TurkTrust Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Visa Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.
Web.com Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program. In our 2017 audit period statement we included SHA-1 fingerprint but this year will include SHA-256 fingerprint for each root and intermediate in scope of the audit. We also understand the submission is required 90 days within the final audit period.
certSIGN Check here to confirm that your CA understands that audit statements that are not in English and do not contain all of the above listed information will be rejected by Mozilla, and may result in the CA’s root certificate(s) being removed from our program.