September 2018 CA Communication

ACTION 4: Ensure Audit Reports comply with Mozilla’s Root Store Policy Version 2.5 of Mozilla’s Root Store Policy added detailed requirements for audit reports to section 3.1.4. Mozilla is now rejecting audit reports that do not comply with these requirements. Note that version 2.6.1 of the policy added the following clarification to section 5.3.2 for newly-issued intermediates that are not technically constrained: “If the CA has a currently valid audit report at the time of creation of the certificate, then the new certificate MUST appear on the CA's next periodic audit reports.”
ACTION 4 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Actalis We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Amazon Trust Services We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Asseco Data Systems S.A. (previously Unizeto Certum) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Atos We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Autoridad de Certificacion Firmaprofesional We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Buypass We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Certinomis / Docapost We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
China Financial Certification Authority (CFCA) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected For the section 5.3.2 of Mozilla’s Root Store Policy was recently updated. The 2.6.1 version All certificates that are capable of being used to issue new certificates, that are not technically constrained, and that directly or transitively chain to a certificate included in Mozilla’s root program: How do we define “All certificates that are capable of being used to issue new certificates”? To be specific: CFCA EV ROOT have 4 Intermediate Certificate. Two active Intermediate Certificate that can issue certificate: CFCA EV OCA [Type: Intermediate Certificate] CFCA OV OCA [Type: Intermediate Certificate] Two inactive Intermediate Certificate that can’t issue certificate: CFCA EV CodeSign OCA [Type: Intermediate Certificate] CFCA OV CodeSign OCA [Type: Intermediate Certificate] However, the “inactive” we define is 1,shut down the internal access to these 2 Intermediate Certificate. 2,announcement of stop issuing Code Signing Certificate. 3,And add this announcement to our latest CPS. Will this 3 actions define these 2 Intermediate Certificate. Not “capable of being used to issue new certificates” ? Or revocation is the only way to ensure Intermediate Certificate. Not “capable of being used to issue new certificates” ? Since we do not issue Code signing Certificate Since Jan.1 2017, we stopped auditing these 2 Intermediate Certificates, this year’s audit report will not include these 2 certificate. Will this be a problem and trigger “ any audit report submitted to Mozilla that does not comply with these requirements will be rejected” ?
Chunghwa Telecom We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
ComSign We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Cybertrust Japan / JCSI We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
D-TRUST We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Dhimyotis / Certigna We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
DigiCert We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Disig, a.s. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
DocuSign (OpenTrust/Keynectis) Other (please describe below) We are currently in discussions with the auditors to get the report containing all requested info. Reports we already provided were containing almost all information except two.
E-Tugra We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
EDICOM We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Entrust We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
GlobalSign We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected GlobalSign's latest audit report meets section 3.1.4 of Mozilla's Root Store Policy. We also acknowledge requirements added in section 5.3.2.
GoDaddy We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Google Trust Services LLC (GTS) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of Hong Kong (SAR), Hongkong Post, Certizen We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of Taiwan, Government Root Certification Authority (GRCA) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of The Netherlands, PKIoverheid (Logius) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
HARICA We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
IdenTrust Services, LLC We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Internet Security Research Group (ISRG) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Izenpe S.A. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Krajowa Izba Rozliczeniowa S.A. (KIR) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
LuxTrust We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Microsec Ltd. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
NetLock Ltd. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
OISTE We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
QuoVadis We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
SECOM Trust Systems CO., LTD. We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
SK ID Solutions AS We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
SSL.com We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Sectigo We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
SecureTrust We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
SwissSign AG We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Swisscom (Switzerland) Ltd We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
T-Systems International GmbH (Deutsche Telekom) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Taiwan-CA Inc. (TWCA) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Telia Company (formerly TeliaSonera) We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
TrustCor Systems We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Trustis We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
TurkTrust We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
Web.com We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected
certSIGN We understand that any audit report submitted to Mozilla that does not comply with these requirements will be rejected