January 2020 CA Communication

ACTION 1: Review Mozilla Root Store Policy Read version 2.7 of Mozilla’s Root Store Policy. CAs are expected to comply without exception with Version 2.7 of Mozilla's Root Store Policy. CAs MUST review this policy and ensure compliance, and CAs SHOULD carefully review the differences from previous versions of Mozilla's policy. These changes have been discussed on the mozilla.dev.security.policy mailing list. CAs that did not participate in these discussions or that have not yet reviewed these conversations should also read the discussions regarding these changes, to reduce the chance of confusion or misinterpretation.
ACTION 1 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Actalis We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Amazon Trust Services We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Asseco Data Systems S.A. (previously Unizeto Certum) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Atos We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Autoridad de Certificacion Firmaprofesional We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Buypass We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Certisign Certificadora Digital We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
China Financial Certification Authority (CFCA) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Chunghwa Telecom We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
ComSign We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Cybertrust Japan / JCSI We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
D-TRUST We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
DarkMatter LLC We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Deutsche Telekom Security GmbH We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Dhimyotis / Certigna We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
DigiCert We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Disig, a.s. We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
E-Tugra We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Entrust We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
GlobalSign nv-sa We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
GoDaddy We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Google Trust Services LLC We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Government of Hong Kong (SAR), Hongkong Post, Certizen We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Government of Taiwan, Government Root Certification Authority (GRCA) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Government of The Netherlands, PKIoverheid (Logius) We have read, understand, and intend to comply with version 2.7 of Mozilla’s Root Store Policy except as described below Several changes in our CP because of Mozilla Root Store Policy 2.7 have been filed for review by our Change Programme Board, but haven't been effected yet. Planned effective date of those changes (which can be found shortly on https://www.logius.nl/english/pkioverheid/current_changes) is mid-February. Furthermore, the audits conducted by BSI on our issuing CAs (Trust Service Providers) can't (for the moment) comply with the requirements in the Mozilla Root Store Policy 2.7, specifically the minimum required versions of ETSI EN 319 411-1/411-2. We've asked BSI for a clarification, their statement is included below: BSI is currently migrating its accreditation from a UK-based accreditation to accreditation based in the Netherlands. Upon completion, ALL existing, valid BSI ETSI-conformity certificates will be migrated from the 2016-versions of the ETSI-standards to the 2018-versions of the ETSI-standards. The ETSI-certificate scope page, including audit period and expiration date will remain the same. BSI audit reports (ETSI-conformity certificates) will then comply with Mozilla Root Store Policy, version 2.7. BSI aims to have this completed for all ETSI-conformity certificates by 1 August 2020. Further details: - In performing the conformity assessment against the ETSI EN 319411-1 and ETSI EN 319411-2 standards, BSI is currently using its accreditation under the UK accreditation scheme (UKAS). This accreditation explicitly specifies the 2016-versions of the ETSI standards: ETSI EN 319 411-1 v1.1.1 (2016-02) and ETSI EN 319 411-2 v2.1.1 (2016-02) - BSI is currently completing the activity to bring the accreditation for the ETSI-standards to the Dutch Accreditation Council (RvA). The United Kingdom leaving the European Union (“Brexit”) is the primary reason to bring our accreditation to The Netherlands. - The process to complete the accreditation under the Dutch Accreditation Council is taking more time than expected, as limited resources were available at the Dutch Accreditation Council to perform the ETSI-accreditation. - In performing its conformity assessments, BSI has already anticipated on the migration of its new accreditation by explicitly including the 2018-versions of the ETSI-standards in its conformity assessments. Reports include evidences and conclusions to both versions. Unfortunately, the current UKAS-accreditation does not allow BSI to mention the latest versions on the ETSI-conformity certificates. -The new accreditation at the Dutch Accreditation Council will not mention a specific ETSI-version. Accreditation will be version-independent and this will allow BSI to always use the latest versions of the ETSI-standards as a basis for our assessments and audit reports (ETSI-conformity certificates). - BSI expects the accreditation by the Dutch Accreditation Council to be completed by 1 July 2020. - As soon as accreditation has been completed, BSI will provide all its clients that have valid ETSI-conformity certificates with new ETSI-conformity certificates against the 2018-versions of the ETSI-standards. - These new certificates will replace the conformity certificates against the 2016-versions. The new certificates will have the same certificate scope page, including audit period and expiration date, as the certificates they are replacing. - Details of updating customer certificates from the UKAS accreditation to the Dutch Accreditation Council accreditation have already been discussed with the Dutch Accreditation Council. -BSI aims to have this completed for all ETSI-conformity certificates by 1 August 2020.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
HARICA We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
IdenTrust Services, LLC We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy The IdenTrust TrustID policy documents have been updated to comply with Mozilla’s ver 2.7 policy. These policy updates were approved by the IdenTrust PMA on Jan-31-2020 and will be published in our policy repositories no later than Feb-15-2020.
Internet Security Research Group We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Izenpe S.A. We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Krajowa Izba Rozliczeniowa S.A. (KIR) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
LuxTrust We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Microsec Ltd. We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Microsoft Corporation We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
NETLOCK Kft. We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
OISTE We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
QuoVadis We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
SECOM Trust Systems CO., LTD. We have read, understand, and intend to comply with version 2.7 of Mozilla’s Root Store Policy except as described below Please refer to the below comments on Action 4, 5, and we will need some time to deal with the Failed ALV Results. Eventually, we will comply with Mozilla's Root Store Policy 2.7.
SK ID Solutions AS We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
SSL.com We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Sectigo We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
SecureTrust We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Shanghai Electronic Certification Authority Co., Ltd. We have read, understand, and intend to comply with version 2.7 of Mozilla’s Root Store Policy except as described below
SwissSign AG We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Swisscom (Switzerland) Ltd We have questions or concerns with version 2.7 of Mozilla’s Root Store Policy as described below Swisscom Certificates are not in the root store any more. Nevertheless we received the "Mozilla CA Communication: Action requested by January 31, 2020" mail from Wayne. Was this an error or is there something additional Swisscom needs to do in order not to receive the root store communications?
Taiwan-CA Inc. (TWCA) We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Telia Company We have read, understand, and intend to comply with version 2.7 of Mozilla’s Root Store Policy except as described below Check the exceptions on the other actions.
TrustCor Systems We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Trustis We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
Web.com We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
certSIGN We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy
eMudhra Technologies Limited We have read, understand, and intend to fully comply with version 2.7 of Mozilla’s Root Store Policy