September 2018 CA Communication

ACTION 7: Submit TLS Certificates to CT Logs for Mozilla's CRLite Later this year, Mozilla is planning to begin testing a new certificate validation mechanism called CRLite. Revocation checking for both leaf and intermediate certificates will be performed via CRLite, but it does not replace OneCRL. When Firefox users load a website supported by CRLite, the browser will not need to fetch OCSP status, which should reduce bandwidth requirements for participating CAs as well as increase performance of the website. In order for CRLite to function properly, Mozilla must know about every TLS certificate that will utilize CRLite for revocation checking. Mozilla might only enable CRLite for CAs that log all TLS certificates issued under their included roots. While Mozilla does not currently have a policy requiring Certificate Transparency (CT) logging, we would like to know if it is reasonable to expect that all newly issued TLS certificates from all CA certificates in the Mozilla program are being logged.
ACTION 7 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Actalis We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Amazon Trust Services We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) Public documentation that warns users of the impact of not allowing their certificate to be CT logged is provided as well as a mechanism for them to opt out via the certificate management service: https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency. We will provide the specifics of how many certs this is by 10/31/2018.
Asseco Data Systems S.A. (previously Unizeto Certum) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Atos We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Autoridad de Certificacion Firmaprofesional We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Buypass We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Certinomis / Docapost We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
China Financial Certification Authority (CFCA) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Chunghwa Telecom We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
ComSign We will begin logging every TLS pre-certificate and/or certificate issued after some future date (specify date below) to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Cybertrust Japan / JCSI We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
D-TRUST We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) We have not issued a certificate without CT logging so far. But we definitly support the CRLite concept. The question is if we would issue a non CT logged certificate in the future, how can we add them to CRLite?
Dhimyotis / Certigna We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
DigiCert We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) We allow Subscribers to exclude specific certificates from logging. Since July 1, 2018, that number includes 447 certificates from the DigiCert systems and 28,765 certificates from the Symantec systems.
Disig, a.s. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
DocuSign (OpenTrust/Keynectis) Other (please describe below) We don't issue anymore TLS server certs.
E-Tugra We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
EDICOM We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Entrust We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) AffirmTrust and Entrust CAs do not redact names in certificates that are CT logged. AffirmTrust SSL CAs CT log all certificates. Entrust SSL CAs CT log all EV SSL certificates and all SSL certificates sold in a retail buying mode. Entrust CAs allow enterprise SSL customers to choose whether to CT log their OV SSL certificates. To date, there have been 3127 OV SSL certificates, which have not been CT logged.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
GlobalSign We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) We have a very small number of customers that do not want some of their certificates logged, so not every SSL certificate we issue is posted to CT logs.
GoDaddy We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Google Trust Services LLC (GTS) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of Hong Kong (SAR), Hongkong Post, Certizen We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of Taiwan, Government Root Certification Authority (GRCA) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of The Netherlands, PKIoverheid (Logius) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
HARICA Other (please describe below) We currently log every newly issued TLS pre-certificate to at least one publicly-accessible and Qualified (per Google's CT Policy) CT log but we reserve the right not to log TLS pre-certificates and/or certificates at our sole discretion based on Subscriber's requests.
IdenTrust Services, LLC We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Internet Security Research Group (ISRG) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Izenpe S.A. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Krajowa Izba Rozliczeniowa S.A. (KIR) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
LuxTrust Other (please describe below) Chrome recognition process is under ongoing review.
Microsec Ltd. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
NetLock Ltd. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
QuoVadis We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
SECOM Trust Systems CO., LTD. We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
SK ID Solutions AS Other (please describe below) This is not applicable as SK no longer issues TLS Server Certificates.
SSL.com We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Sectigo Other (please describe below) We currently log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log, we do not redact names, and we do not allow Subscribers to opt-out when logging [pre-]certificates. However, we have not ruled out offering an opt-out mechanism in the future.
SecureTrust We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
SwissSign AG We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Swisscom (Switzerland) Ltd Other (please describe below) n/a: Swisscom does not issue TLS certificates and our root certificates are not enabled with the Websites trust bit.
T-Systems International GmbH (Deutsche Telekom) We sometimes redact names in the certificates we log, and/or we allow Subscribers to exclude specific certificates from logging (provide details below, including the number of unlogged/redacted certificates issued since July 1, 2018) Based on Data protection regulations, we allow subscribers to choose if they want to exclude specific certificates from logging. Forty-five (45) unlogged certificates have been issued since July 1, 2018.
Taiwan-CA Inc. (TWCA) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Telia Company (formerly TeliaSonera) We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
TrustCor Systems We have logged every TLS pre-certificate and/or certificate issued after April 30, 2018 to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
Trustis Other (please describe below) Certificate issuance has been discontinued and the service only provides revocation information for certificates that have not yet expired.
TurkTrust Other (please describe below) TURKTRUST continues its work on Certificate Transparency (CT) logging but it has not been completed yet.
WISeKey We will begin logging every TLS pre-certificate and/or certificate issued after some future date (specify date below) to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates We temporarily stopped the issuance of new TLS certificates and derived this practice to QuoVadis (member of the WISeKey Holding) as our infrastructure was not ready for CT. We are planning to reinforce our capabilities for CT logging and resume TLS issuance before end of 2018.
Web.com We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates
certSIGN We log every newly issued TLS pre-certificate and/or certificate to at least one publicly-accessible CT log. We do not redact names or allow Subscribers to opt-out when logging [pre-]certificates