September 2018 CA Communication

ACTION 3: Transition to Separate Intermediate Certificates for SSL and S/MIME Section 5.3 of version 2.6.1 of Mozilla’s Root Store Policy requires intermediate certificates issued after 1-January 2019 to be constrained by EKU to prevent use of the same intermediate certificate to issue both SSL (serverAuth) and S/MIME (emailProtection) certificates.
ACTION 3 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. We understand and intend to comply with this new policy by 1-January 2019
Actalis We understand and intend to comply with this new policy by 1-January 2019
Amazon Trust Services We understand and intend to comply with this new policy by 1-January 2019
Asseco Data Systems S.A. (previously Unizeto Certum) We understand and intend to comply with this new policy by 1-January 2019
Atos We understand and intend to comply with this new policy by 1-January 2019
Autoridad de Certificacion Firmaprofesional We understand and intend to comply with this new policy by 1-January 2019
Buypass We understand and intend to comply with this new policy by 1-January 2019
Certinomis / Docapost We understand and intend to comply with this new policy by 1-January 2019
China Financial Certification Authority (CFCA) We understand and intend to comply with this new policy by 1-January 2019 CFCA do not issue S/MIME Certificates using the Root that included in Mozilla root program.
Chunghwa Telecom We understand and intend to comply with this new policy by 1-January 2019
ComSign We understand and intend to comply with this new policy by 1-January 2019
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We understand and intend to comply with this new policy by 1-January 2019
Cybertrust Japan / JCSI We understand and intend to comply with this new policy by 1-January 2019
D-TRUST We understand and intend to comply with this new policy by 1-January 2019
Dhimyotis / Certigna We understand and intend to comply with this new policy by 1-January 2019
DigiCert We understand and intend to comply with this new policy by 1-January 2019
Disig, a.s. We understand and intend to comply with this new policy by 1-January 2019
DocuSign (OpenTrust/Keynectis) We understand and intend to comply with this new policy by 1-January 2019
E-Tugra We understand and intend to comply with this new policy by 1-January 2019
EDICOM We understand and intend to comply with this new policy by 1-January 2019
Entrust We understand and intend to comply with this new policy by 1-January 2019
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We understand and intend to comply with this new policy by 1-January 2019
GlobalSign We understand and intend to comply with this new policy by 1-January 2019 We understand and will comply. We're including EKUs in most CAs today and will include EKUs in all CAs by the end of 2018.
GoDaddy We understand and intend to comply with this new policy by 1-January 2019
Google Trust Services LLC (GTS) We understand and intend to comply with this new policy by 1-January 2019
Government of Hong Kong (SAR), Hongkong Post, Certizen We understand and intend to comply with this new policy by 1-January 2019
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We understand and intend to comply with this new policy by 1-January 2019
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We understand and intend to comply with this new policy by 1-January 2019
Government of Taiwan, Government Root Certification Authority (GRCA) We understand and intend to comply with this new policy by 1-January 2019
Government of The Netherlands, PKIoverheid (Logius) We understand and intend to comply with this new policy by 1-January 2019
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We understand and intend to comply with this new policy by 1-January 2019
HARICA We understand and intend to comply with this new policy by 1-January 2019
IdenTrust Services, LLC We understand and intend to comply with this new policy by 1-January 2019
Internet Security Research Group (ISRG) We understand and intend to comply with this new policy by 1-January 2019
Izenpe S.A. We understand and intend to comply with this new policy by 1-January 2019
Krajowa Izba Rozliczeniowa S.A. (KIR) We understand and intend to comply with this new policy by 1-January 2019
LuxTrust We understand and intend to comply with this new policy by 1-January 2019
Microsec Ltd. We understand and intend to comply with this new policy by 1-January 2019
NetLock Ltd. We understand and intend to comply with this new policy by 1-January 2019
OISTE We understand and intend to comply with this new policy by 1-January 2019
QuoVadis We understand and intend to comply with this new policy by 1-January 2019
SECOM Trust Systems CO., LTD. We understand and intend to comply with this new policy by 1-January 2019
SK ID Solutions AS Other (please describe below) This is not applicable as SK does not intend to issue new intermediate CA Certificate that would enable issuance of TLS Server Certificates.
SSL.com We understand and intend to comply with this new policy by 1-January 2019
Sectigo We understand and intend to comply with this new policy by 1-January 2019
SecureTrust We understand and intend to comply with this new policy by 1-January 2019
SwissSign AG We understand and intend to comply with this new policy by 1-January 2019
Swisscom (Switzerland) Ltd We understand and intend to comply with this new policy by 1-January 2019
T-Systems International GmbH (Deutsche Telekom) We understand and intend to comply with this new policy by 1-January 2019
Taiwan-CA Inc. (TWCA) We understand and intend to comply with this new policy by 1-January 2019 We are prepare to issue new intermediate CA certificate and will be include EKU extension in certificate. The new intermediate CA certificate will be add to CCADB for reference.
Telia Company (formerly TeliaSonera) We understand and intend to comply with this new policy by 1-January 2019
TrustCor Systems We understand and intend to comply with this new policy by 1-January 2019 Our current subordinate certificates do not contain EKUs to segregate intended use of end-entity certificates, but all future ones will contain such EKUs.
Trustis We understand and intend to comply with this new policy by 1-January 2019 We understand and intend to comply with this new policy by 1-January 2019. If the service was continuing we would ensure compliance with this requirement. Comment: Certificate issuance has been discontinued and the service only provides revocation information for certificates that have not yet expired.
TurkTrust We understand and intend to comply with this new policy by 1-January 2019
Web.com Other (please describe below) Web.com - Network Solutions LLC have no changes to make, because we do not offer S/MIME certs and never have since inception.
certSIGN We understand and intend to comply with this new policy by 1-January 2019