January 2020 CA Communication

ACTION 5: Resolve Audit Issues with Intermediate Certificates CAs have a new task list item on their CCADB home page called “Intermediate Certs with Failed ALV Results”. If you have any items listed here, follow the published instructions to resolve them.
ACTION 5 COMMENTS
ACTION 5 DATE

CA Owner Response Response Response
AC Camerfirma, S.A. We are in the process of resolving these issues (please describe below) The anual eIDAS audit that covers root & Camerfirma's intermediate certificates is scheduled between 2020-02-25 and 2020-03-04 and the new report must solve the ALV's issues detected in previous ones. New non-Camerfirma CA intermediate certificates reports will be adapted to ALV requirements before 2020-06-01. 2020 Jun 1
Actalis We have no audit issues with our intermediate certificates identified by CCADB
Amazon Trust Services We are in the process of resolving these issues (please describe below) We have multiple certificates for our CAs. Our previous audit reports include a representative certificate for each CA. Our future reports will include all the certificates for each CA. 2020 Apr 15
Asseco Data Systems S.A. (previously Unizeto Certum) Other (please describe below) We described situation about Intermediate Certs with Failed ALV Results in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1598277.
Atos We have no audit issues with our intermediate certificates identified by CCADB
Autoridad de Certificacion Firmaprofesional We are in the process of resolving these issues (please describe below) We had two “Intermediate Certs with Failed ALV Results” (the same CA, SHA1 and SHA2 versions) and we have already made an explanation on it in CCADB, following the given instructions. 2020 Jan 13
Buypass We are in the process of resolving these issues (please describe below) There are still two intermediate certificates affected which have not been revoked. Based on analyzing OCSP requests, we observe that they are still extensively used. We want to ensure that customers still using these have replaced them before revoking.
Certisign Certificadora Digital We have not yet begun to resolve these issues, but commit to doing so by (provide date below) 2020 Feb 14
China Financial Certification Authority (CFCA) Other (please describe below) I reviewd the new task list item "Intermediate Certs with Failed FLV Results", found two issues(AllThumbprintsListed=Fail), the explain is "FAIL means that this certificate's SHA-256 thumbprint was NOT found in the audit statement ", but the audit statement include certificate's SHA-256 thumbprint, on the end of the report. In our audit report ,the thumbprint not a "click link", it is " thumbprint code".
Chunghwa Telecom We have no audit issues with our intermediate certificates identified by CCADB
ComSign We have no audit issues with our intermediate certificates identified by CCADB
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) We have no audit issues with our intermediate certificates identified by CCADB
Cybertrust Japan / JCSI We are in the process of resolving these issues (please describe below) We are aware that we have a task list below: >Intermediate Certs with no audit information provided: 1 >Intermediate Certs with no CP/CPS information provided: 1 To resolve these issues, we wrote "case 00000545" as follows and also at "Description Information" of "SecureSign Public CA11". > We Cybertrust Japan found on this CAA DB home page that the update of Audit Information and CP/CPS information > for an intermediate CA "SecureSign Public CA11" are required, > but as we added at "Description" field of the intermediate CA "SecureSign Public CA11", > Cybertrust Japan is not the owner of this Intermediate CA "SecureSign Public CA11". > Please look through the Description. > > Please also note that we are now conducting WebTrust audit for the Root CA "SecureSign RootCA11" (not intermediate CA). > We will update the audit information after we receive it.
D-TRUST We have no audit issues with our intermediate certificates identified by CCADB
DarkMatter LLC We have no audit issues with our intermediate certificates identified by CCADB 3 entries updated today 2020 Jan 30
Deutsche Telekom Security GmbH We have no audit issues with our intermediate certificates identified by CCADB
Dhimyotis / Certigna We are in the process of resolving these issues (please describe below) We are waiting for the last version of audit report from our assessment body (this week normally) and we will initiate verification after we receive it. 2020 Feb 14
DigiCert We have no audit issues with our intermediate certificates identified by CCADB
Disig, a.s. We are in the process of resolving these issues (please describe below) The audit report on our website was changed to the one with the correct formatting of SHA256 hash (no hash colons) for CA Disig Root R2, CA Disig R2I2, and CA Disig R2I3. 2020 Jan 26
E-Tugra We have not yet begun to resolve these issues, but commit to doing so by (provide date below) 2020 Feb 29
Entrust We are in the process of resolving these issues (please describe below) The Intermediate CAs are not is use. We plan to revoke all certificates.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) We have no audit issues with our intermediate certificates identified by CCADB
GlobalSign nv-sa We are in the process of resolving these issues (please describe below) Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=1591005 for the ongoing incident related to unconstrained CAs that were not included in the scope of our past BR audits.
GoDaddy We have no audit issues with our intermediate certificates identified by CCADB
Google Trust Services LLC We have no audit issues with our intermediate certificates identified by CCADB
Government of Hong Kong (SAR), Hongkong Post, Certizen We have no audit issues with our intermediate certificates identified by CCADB
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We have no audit issues with our intermediate certificates identified by CCADB
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) We are in the process of resolving these issues (please describe below) Failed Audit Letter Validation (ALV) results: - "FNMT-RCM - SHA512" - B82210CDE9DDEA0E14BE29AF647E4B32F96ED2A9EF1AA5BAA9CC64B38B6C01CA - Its a Root certificate - "AC Administración Pública" - 18A43C51D08174C3A6D85F1C1318BD2909753E75D91CF6599F73347B00702890 - sha1WithRSAEncryption intermediate certificate - SKI: 14:11:E2:B5:2B:B9:8C:98:AD:68:D3:31:54:40:E4:58:5F:03:1B:7D. The audit report only included the sha256WithRSAEncryption intermediate certificate which is the one in use. - "AC Componentes Informáticos" - DB0DA16032F1643A2496FDE742E2BBE81DACA58CD7612061420E154CE1BCE2BD - sha1WithRSAEncryption intermediate certificate - SKI: 19:F8:58:2F:14:D6:A6:CC:9B:04:98:08:0D:4C:D7:AB:00:A7:83:65. The audit report only included the sha256WithRSAEncryption intermediate certificate which is the one in use. The anual audit is scheduled for week 5 (27/01/2020-31/01/2020) New audit reports resolving this issue will be provided before 12/04/2020
Government of Taiwan, Government Root Certification Authority (GRCA) We have no audit issues with our intermediate certificates identified by CCADB
Government of The Netherlands, PKIoverheid (Logius) We are in the process of resolving these issues (please describe below) Currently, both Webtrust audit statements for our Domain CAs have been flagged (see bug 1605126) and for one (1) intermediate CA of CIBG (bug 1607906). For remediation, see the bugs listed.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We have no audit issues with our intermediate certificates identified by CCADB
HARICA We have no audit issues with our intermediate certificates identified by CCADB
IdenTrust Services, LLC We have no audit issues with our intermediate certificates identified by CCADB We currently have no audit issues with our intermediate certificates identified by CCADB. We are in the process of resolving an issue with Undisclosed/Unrevoked ICA’s: https://bugzilla.mozilla.org/show_bug.cgi?id=1598807
Internet Security Research Group We have no audit issues with our intermediate certificates identified by CCADB
Izenpe S.A. We have no audit issues with our intermediate certificates identified by CCADB
Krajowa Izba Rozliczeniowa S.A. (KIR) We are in the process of resolving these issues (please describe below) The new annual audit reports resolving this issue will be provided before 03/18/2020. 2020 Mar 18
LuxTrust We have no audit issues with our intermediate certificates identified by CCADB
Microsec Ltd. We are in the process of resolving these issues (please describe below) We have a doppelganger root certificate which is not listed in the present audit report. We have already contacted our auditor to add this missing certificate to the audit report. We are waiting for their proposal. We do not have the answer yet so we don't know the deadline.
Microsoft Corporation We have no audit issues with our intermediate certificates identified by CCADB
NETLOCK Kft. We have not yet begun to resolve these issues, but commit to doing so by (provide date below) 2020 Feb 29
OISTE We are in the process of resolving these issues (please describe below) We found some issues after the transfer of the Roots from WISEKEY to OISTE in the CCADB. The audit information of the intermediates has not been updated properly and is set as "Same as parent", but actually WISeKey publishes now separate audit reports for the intermediates, while OISTE only publishes audit reports for the Roots. To be clear, the audit reports covering the intermediates were communicated to the CCADB before the transfer of the Roots, and it were appearing properly at the time, but the information wasn't updated after the root transfer. The audit reports covering the intermediates are still valid and are available from the WISeKey website: Webtrust for CA: https://www.cpacanada.ca/webtrustseal?sealid=10246 Webtrust for BR: https://www.cpacanada.ca/webtrustseal?sealid=10247 Webtrust for EV: https://www.cpacanada.ca/webtrustseal?sealid=10248 We have updated the CCADB, linking properly the subordinates with the audit reports issued specifically for WISeKey. 2020 Jan 10
QuoVadis We are in the process of resolving these issues (please describe below) QuoVadis had 25 ICAs tagged for ALV issues: Seven Siemens CAs were tagged as they included the ":" symbol in the hashes, and 18 QuoVadis CAs (including those branded as VR Ident and HydrantID) as they included line breaks in the hashes. These formatting issues will be corrected in the next WebTrust reports.
SECOM Trust Systems CO., LTD. We are in the process of resolving these issues (please describe below) We are working on the resolution for these issues. As described in Action 4, we plan to resolve this by around September 2020, when the next audit report will be provided.
SK ID Solutions AS We have no audit issues with our intermediate certificates identified by CCADB
SSL.com We are in the process of resolving these issues (please describe below) We are addressing an ALV issue and, after discussion with MRSP representatives, have filed the following bug to document resolution: https://bugzilla.mozilla.org/show_bug.cgi?id=1610000
Sectigo We are in the process of resolving these issues (please describe below) https://bugzilla.mozilla.org/show_bug.cgi?id=1597947 https://bugzilla.mozilla.org/show_bug.cgi?id=1597948 https://bugzilla.mozilla.org/show_bug.cgi?id=1597950
SecureTrust We have no audit issues with our intermediate certificates identified by CCADB
Shanghai Electronic Certification Authority Co., Ltd. We have no audit issues with our intermediate certificates identified by CCADB
SwissSign AG We are in the process of resolving these issues (please describe below) We are waiting for feedback from Microsoft on our request to remove the code signing EKU from the respective root.
Swisscom (Switzerland) Ltd Other (please describe below) Swisscom Certificates are not in the root store any more. Nevertheless we received the "Mozilla CA Communication: Action requested by January 31, 2020" mail from Wayne. Was this an error or is there something additional Swisscom needs to do in order not to receive the root store communications?
Taiwan-CA Inc. (TWCA) We have no audit issues with our intermediate certificates identified by CCADB
Telia Company We are in the process of resolving these issues (please describe below) What is the right way to solve these ALV failures, revocation? These CA certificates are not capable of issuing certificates because they don’t exist on our online CA systems. However, we could probably revoke them. Details of case TeliaSonera Gateway CA v1, issued 2010-03-04, SHA2-fingerprint: B01A8DC9426D48767157FFCB46BEFA193175BBC981B57D47BC6C7FF71B94A35C This was replaced 2013-05-13 by a new certificate using same Subject and same key. Later in 2014 usage of both were discontinued because both were using SHA1. The replacement certificate has been on audit reports. There haven’t been any valid certificates under neither for years and that fact can be seen from audit reports. Its key's usage is technically prevented by us (keys disabled). It is not on audit report probably because at the time in 2013 our CA software (RSA Certificate Manager) removed older certificate when new one was resigned to use the same key and subject. This now exists only on CCADB and in our archive files. We changed CA software in 2017 and this old abolished CA wasn’t migrated to offline nor online system. Thus it wasn’t visible to auditors when they collected CA certificate listings from CA system. We closed our audit contract with the auditor who audited this last year and we hesitate to require anything anymore from them. New auditor agreement is to be signed soon. It may be possible to migrate this CA now to current offline Root CA system to do revocation if that is the suggested solution. Should we revoke this now? CA revocation is our own recommendation. Date is based on assumption that revocation is the solution. Details of Case Telia Domain Validation SSL CA v1, issued 2017-11-16, SHA2-fingerprint: 5F20CD1B0F7A827DD61B29F390970AAD96F0428219DE9B504A170B56AB68CF8D This certificate was replaced 2018-02-19 by a new certificate using the same key. The replacement certificate has been on audit reports. The first one was never used because our DV type was still in development. Then before starting DV we noticed that CA’s Subject value wasn’t optimal (it used our brand name instead of company name). Thus we resigned CA certificate. Only the newer one was installed to online system. We are not sure why the older one wasn’t included in audit report listing by our auditor. Probably they took listing from online system capable of creating new certificates. We closed our audit contract with the auditor who audited this last year and we hesitate to require anything anymore from them. New auditor agreement is to be signed soon. This certificate ever existed only on our offline Root CA system. Should we revoke this now? CA revocation is our own recommendation. 2020 Feb 28
TrustCor Systems We are in the process of resolving these issues (please describe below) ALV indicated, incorrectly, that the SHA256 fingerprint was missing for one certificate because it has line breaks; those breaks will be removed in our next set of annual audit reports, due in November 2020. 2020 Nov 30
Trustis We have no audit issues with our intermediate certificates identified by CCADB
Web.com We are in the process of resolving these issues (please describe below) https://bugzilla.mozilla.org/show_bug.cgi?id=1597947
certSIGN We are in the process of resolving these issues (please describe below) We have contacted our auditors and we are in the process of resolving the ALV issues for intermediate certificate CERTSIGN FOR BANKING QUALIFIED DS PRODUCTION CA V3 and certSIGN Qualified CA. 2020 May 1
eMudhra Technologies Limited We have no audit issues with our intermediate certificates identified by CCADB