September 2018 CA Communication

ACTION 2: Update CP/CPS Ensure that your CP/CPS complies with the following requirements that were added to version 2.6.1 of Mozilla’s Root Store Policy: * Section 2.2 “Validation Practices” now requires CAs with the Mozilla email trust bit to clearly disclose their email address validation methods in their CP/CPS. * Methods used for IP Address validation must now be clearly specified in your CP/CPS. * The use of BR validation method 3.2.2.5(4), the “any other method” for IP addresses, has been banned for validating a domain name under 3.2.2.4(8). If your CP/CPS specifies the use of IP address validation method 3.2.2.5(4) “any other method”, please make it clear that it will not be used in conjunction with domain validation method 3.2.2.4(8) “IP Address”.
ACTION 2 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy AC Camerfirma's CPSs complies with the requirements but we will disclose new versions clarifying these points (before 2018-10-31)
Actalis Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Amazon Trust Services Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We will update our CP/CPS to reflect this by Dec 31, 2018
Asseco Data Systems S.A. (previously Unizeto Certum) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Atos Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Autoridad de Certificacion Firmaprofesional Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We plan to update our CP/CPS to comply the email address validation requirements during Q1 2019. Regarding the IP address validations, we don't use them by now.
Buypass Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Certinomis / Docapost Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) A new certificate policy will be published after the next eIDAS audit (planned in december 2018) so by the beginning of 2019.
China Financial Certification Authority (CFCA) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Chunghwa Telecom Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) Our CPS has already described our email validation methods in section 3.2.5 since 2015. We don't use IP address validation method 3.2.2.5(4) and 3.2.2.4(8) “IP Address”in BR, so we don't state these methods in our CPS. We consider to update our CPS to clarify that we do not issue SSL certificates containing IP address in SANs.If we do so, the target date will be before November 30, 2018.
ComSign Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) A new certificate policy will be published after the next internal review period, so the new CP/CPS will be released by the beginning of 2019. We do not issue certificates which contain IP addresses as validation information, therefore there are no validation methods which are relevant to this.
Cybertrust Japan / JCSI Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
D-TRUST Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We will have the CP/CPS updated by 2018/12/01.
Dhimyotis / Certigna Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
DigiCert Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) Our CP/CPS will be updated and published prior to October 31, 2018, to reflect the new changes.
Disig, a.s. Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy Email address validation methods is described in the chapter 4.2.1
DocuSign (OpenTrust/Keynectis) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We plan to update the CP/CPS by 12/31/18.
E-Tugra Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
EDICOM Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Entrust Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
GlobalSign Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
GoDaddy Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Google Trust Services LLC (GTS) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Government of Hong Kong (SAR), Hongkong Post, Certizen Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy Note that Hongkong Post CA has not enabled the Mozilla's email trust bit.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Government of Taiwan, Government Root Certification Authority (GRCA) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Government of The Netherlands, PKIoverheid (Logius) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) Will be implemented in the next version of our CP and CPS (publication date due February 1, 2019).
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
HARICA Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
IdenTrust Services, LLC Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Internet Security Research Group (ISRG) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Izenpe S.A. Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Krajowa Izba Rozliczeniowa S.A. (KIR) Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
LuxTrust Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) 31-10-2018 Currently we do not issue any SSL/EV SSL certificate and we are not planning to issue such certificates in the near future since we are not recognized yet by Apple.
Microsec Ltd. Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
NetLock Ltd. Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
OISTE Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We could need to do minor changes related to IP address validation. Target date for CPS review: Mid October 2018
QuoVadis Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
SECOM Trust Systems CO., LTD. Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We will update our CP/CPS before 12/31/2018.
SK ID Solutions AS Other (please describe below) This is not applicable as SK no longer issues TLS Server Certificates.
SSL.com Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) Our current CP/CPS is version 1.4. We intend to approve and publish version 1.5, incorporating the above changes, no later than November 15 2018. Our current CP/CPS does describe email address validation methods (3.2.2.9) but we will take this opportunity to further detail this process in the upcoming version. Our current CP/CPS currently allows 3.2.2.5 (4). However, we do not employ (or intend to employ) this method and shall remove it in the upcoming version.
Sectigo Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
SecureTrust Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy Our CPS already describes our email validation methods in section 3.2.3.4. We intend to update our CPS on October 1, 2018 to clarify that we do not issue certificates containing IP address SANs.
SwissSign AG Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) The CP/CPS will reflect version 2.6.1 end of October 2018, with the exception of subscriber key generation. Latest End of December 2018, we have ensured that in all cases (TLS Server Certificates), also in the RA delegation cases, the subject key generation is done by the client (subscriber).
Swisscom (Switzerland) Ltd Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) 10.12.2018
T-Systems International GmbH (Deutsche Telekom) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) The CP/CPS with the relevant contents will be published by mid December 2018.
Taiwan-CA Inc. (TWCA) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) We will update our CP/CPS before 2018/12/31.
Telia Company (formerly TeliaSonera) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) CPS and Telia process will be updated in Oct 2018. All existing 10 certificates using 3.2.2.4(8)+3.2.2.5(4) were already revalidated at 2018-09-19 using 3.2.2.4(8)+3.2.2.5(2). If any new validation is done before Telia process change those will be also revalidated. Currently Telia has used method 3.2.2.5(4) in conjunction with Telia controlled VPN Gateway devices. We think that Mozilla shouldn't create more incompatibilities with BR like this third issue now does. Better way would be to try to get the same change to BR text. This new Mozilla BR incompatibility should be added to Mozilla policy chapter 2.3. It is hard for CA when more and more validation methods are removed and nothing is added! We think that method 3.2.2.5(4) is and was safe when CA fully controls the devices and their IP addresses. Almost complete removal of the method will trigger again more hard tasks for CA. You can ask if it is really safer to use 3.2.2.5(2) instead of 3.2.2.5(4) applied as IP configuration evidence to demonstrate Telia control of the IP. 3.2.2.5(4) applied as IP configuration evidence would be better for us.
TrustCor Systems Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy We do not issue certificates which contain IP addresses as validation information, therefore there are no validation methods which are relevant to this.
Trustis Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (enter date below) Our CP/CPS will be updated to comply with version 2.6.1 of Mozilla’s Root Store Policy in the near future (01-30-2019) Comment: Certificate issuance has been discontinued and the service only provides revocation information for certificates that have not yet expired.
TurkTrust Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
Web.com Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy
certSIGN Our CP/CPS currently complies with version 2.6.1 of Mozilla’s Root Store Policy