January 2018 CA Communication

ACTION 1: Disclose Use of Methods 3.2.2.4.9 or 3.2.2.4.10 for Domain Validation On 9-January, the CA “Let’s Encrypt” disclosed a vulnerability in the ACME domain validation methods known as TLS-SNI-01 and TLS-SNI-02, which are implementations of the more general method described in Baseline Requirements 3.2.2.4.10. A subsequent vulnerability was disclosed on 11-January affecting the validation method described in BR 3.2.2.4.9. Mozilla expects all CAs to be monitoring discussion in the mozilla.dev.security.policy forum and for any CA that employs either of these methods to disclose that fact on the list. From now on, Mozilla expects that CAs will not use these methods unless they have implemented and disclosed a mitigation for the vulnerabilities that have been discovered. Please select the correct response for your CA:
ACTION 1 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Actalis We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Amazon Trust Services Other (please describe below) We do not use these methods.
Asseco Data Systems S.A. (previously Unizeto Certum) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Atos We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Autoridad de Certificacion Firmaprofesional We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Buypass We have disclosed our use of these methods of domain validation on the mozilla.dev.security.policy forum and have either stopped using them or implemented and disclosed a mitigation for the vulnerabilities that have been discovered.
Certicámara None of our root(s) are enabled for websites (SSL) in Mozilla products.
Certinomis / Docapost We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
China Financial Certification Authority (CFCA) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Chunghwa Telecom We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. We do not use these methods of domain validation that are not described in our CPS.
ComSign We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. we didn’t issue any SSL certificate in the last few years, therefore we currently do not have any valid SSL certificate issued. we have updated our CPS and now those problematic methods are removed from our CPS.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Cybertrust Japan / JCSI We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
D-TRUST We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Dhimyotis / Certigna We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
DigiCert Other (please describe below) While we have used method 3.2.2.4.9 in selective cases for IP validation in the past, we are no longer using this method and plan to remove this capability from our user interface/systems. We also plan to remove both methods from our CP/CPS to align with these findings and decision.
Disig, a.s. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
DocuSign (OpenTrust/Keynectis) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
E-Tugra We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
EDICOM We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Entrust We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. No comments
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Other (please describe below) We have never used these methods, and as required by the Mozilla Root Store Policy 2.5, GDCA has specified in its CP/CPS the domain validation methods it currently employs, and 3.2.2.4.9 and 3.2.2.4.10 are not part of those methods.
GlobalSign We have disclosed our use of these methods of domain validation on the mozilla.dev.security.policy forum and have either stopped using them or implemented and disclosed a mitigation for the vulnerabilities that have been discovered.
GoDaddy We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. We do not use 3.2.2.4.10
Google Trust Services LLC (GTS) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. Google Trust Services has never used the Methods 3.2.2.4.9 or 3.2.2.4.10. For clarity purposes we are currently updating our CP/CPS to remove methods which are permissible under the Baseline Requirements but are not actually in use.
Government of Hong Kong (SAR), Hongkong Post, Certizen We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Other (please describe below) We do not use these methods.
Government of Taiwan, Government Root Certification Authority (GRCA) Other (please describe below) We have never used these methods and our CP/CPS states what kind of methods we used.
Government of The Netherlands, PKIoverheid (Logius) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
HARICA We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
IdenTrust Services, LLC Other (please describe below) IdenTrust does not use any of those 2 methods to confirm applicant’s control over the FQDN.
Internet Security Research Group (ISRG) We have disclosed our use of these methods of domain validation on the mozilla.dev.security.policy forum and have either stopped using them or implemented and disclosed a mitigation for the vulnerabilities that have been discovered. As disclosed on m.d.s.p., we have disabled TLS-SNI by default for Let's Encrypt subscribers. We have whitelisted a small number of large subscribers for TLS-SNI, we believe these subscriber systems do not violate the assumptions behind TLS-SNI violation, and thus are not at risk. We will phase out our whitelist and discontinue all use of TLS-SNI as soon as reasonably possible. We are also allowing certificate renewals via TLS-SNI to allow client software and subscriber systems time to transition to another method.
Izenpe S.A. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Krajowa Izba Rozliczeniowa S.A. (KIR) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
LuxTrust We have disclosed our use of these methods of domain validation on the mozilla.dev.security.policy forum and have either stopped using them or implemented and disclosed a mitigation for the vulnerabilities that have been discovered.
Microsec Ltd. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
NetLock Ltd. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
QuoVadis Other (please describe below) Our CPS does not allow 3.2.2.4.10. Our CPS currently allows 3.2.2.4.9 but we do not have currently valid certificates issued using this method, and will disallow use of the method pending mitigation for the discovered vulns.
SECOM Trust Systems CO., LTD. We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
SK ID Solutions AS We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
SSL.com Other (please describe below) Our CP/CPS (version 1.3) allows for use of these methods. However, we have never employed either method as part of certificate issuance, and shall only employ these methods with appropriate mitigation for the known vulnerabilities of each method.
Sectigo We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
SecureTrust We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
SwissSign AG We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Swisscom (Switzerland) Ltd None of our root(s) are enabled for websites (SSL) in Mozilla products.
T-Systems International GmbH (Deutsche Telekom) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Taiwan-CA Inc. (TWCA) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Telia Company (formerly TeliaSonera) We have never used these methods and our CP/CPS states that we do not use these methods of domain validation. NA
TrustCor Systems We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Trustis We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Visa We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
WISeKey We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
Web.com We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
certSIGN We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.