May 2020 CA Communication

ITEM 2: Mozilla Root Store Policy version 2.7 Requirements and Deadlines Version 2.7 of Mozilla’s Root Store Policy was published in December, and a January 2020 CA Communication and survey was sent. We would like to remind you about the following 4 items. 1) Beginning on 1-July, 2020, end-entity certificates MUST include an Extended Key Usage (EKU) extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. (last paragraph in Section 5.2) 2) Certificate Policy and Certificate Practice Statement (CP/CPS) versions dated after March 2020 cannot contain blank sections and must – in accordance with RFC 3647 – only use “No Stipulation” to mean that no requirements are imposed. (item 5 in Section 3.3) 3) Ensure that all new audit reports are properly formatted and contain the required information, especially in regards to the SHA-256 Fingerprint of each audited root and intermediate certificate that was in scope of the audit being listed with no colons, no spaces, and no linefeeds. 4) Resolve entries in the “Intermediate Certs with Failed ALV Results” task list item on your CCADB home page, by following the published instructions.
ITEM 2 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Actalis Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Amazon Trust Services Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Asseco Data Systems S.A. (previously Unizeto Certum) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Atos Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Autoridad de Certificacion Firmaprofesional Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Buypass Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
China Financial Certification Authority (CFCA) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Chunghwa Telecom Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified. We hope to confirm that the effective time for (1) end-entity certificates MUST include an Extended Key Usage (EKU) extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. (last paragraph in Section 5.2) is 1-July, 2020 00:00:00 UTC. Due to COVID-19, the government postponed the online tax filing deadline from May 30 to June 30. So there are some certificates for tax filling and securities orders will add EKU on July 1 0:00 local time. Local time is UTC +8. So we have some buffer time. Thanks.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Cybertrust Japan / JCSI Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
D-TRUST Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Deutsche Telekom Security GmbH Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Dhimyotis / Certigna Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
DigiCert Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Disig, a.s. Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
E-Tugra Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified. E-Tugra fulfills the requirements 1, 2 and 3. For requirement 4 still has an open ALV issue. A new Attestation Letter is requested and will be posted to CCADB.
Entrust Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
GlobalSign nv-sa Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified. Regarding 4): we have a few intermediate certificates that Failed ALV validation, please refer to Bugzilla ticket 1591005. They have already been added to OneCRL and we are in the process of revoking them or destroying the private keys, as detailed in the Bugzilla ticket.
GoDaddy Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Google Trust Services LLC Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Government of Hong Kong (SAR), Hongkong Post, Certizen Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Other (please describe below) We are working with our auditors to resolve fingerprint issues in one of our last audit reports (March 2020). Both reports have been generated in the same way, both are PDF text searchable and includes all related fingerprints, but one of them is still failing.
Government of Taiwan, Government Root Certification Authority (GRCA) Our ability to fulfill the commitments that we made in response to the January 2020 CA Communication has been impeded as described below. GRCA and its sub CAs do not issue any TLS certificates since 18-Seepteember 2019, and we will revoke all TLS certificates on 7/19/2020. Our root cert will be removed from Mozilla's root store after 7/19/2020 Please see: https://bugzilla.mozilla.org/show_bug.cgi?id=1463975
Government of The Netherlands, PKIoverheid (Logius) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
HARICA Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
IdenTrust Services, LLC Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Internet Security Research Group Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Izenpe S.A. Other (please describe below) One of our current end-entity certificate profile doesn't have any EKU extension. It's a natural person certificate, and it must also meet the requirements defined by our National regulation. We've asked to the Ministry, because in that profile they don't include any EKU. We'll decide what to do depending on their answer. We agree to all the rest of items.
Krajowa Izba Rozliczeniowa S.A. (KIR) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Microsec Ltd. Other (please describe below) Microsec fulfills the requirements 1, 2 and 3. Microsec still has an open ALV issue regarding a doppelganger certificate issued for "Microsec e-Szigno Root CA 2009". The new Attestation Letter containing this doppelganger root certificate version has already been issued and an Audit Case has been opened in CCADB.
NETLOCK Kft. Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
OISTE Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
QuoVadis Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
SECOM Trust Systems CO., LTD. Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
SK ID Solutions AS Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
SSL.com Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Sectigo Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified. (D-TRUST) https://bugzilla.mozilla.org/show_bug.cgi?id=1597948 was resolved a few months ago, thanks to D-TRUST obtaining an updated audit report. (Ensured) The ALV failure in https://bugzilla.mozilla.org/show_bug.cgi?id=1597950 was resolved 6 months ago when we revoked the affected certificate. (Web.com) The ALV failures in https://bugzilla.mozilla.org/show_bug.cgi?id=1597947 will be addressed by the next audit reports.
SecureTrust Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Shanghai Electronic Certification Authority Co., Ltd. Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
SwissSign AG Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Taiwan-CA Inc. (TWCA) Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Telia Company Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified. We've done the required changes and improvements. Audit format messages are forwarded to our auditors. Our two ALV issues were fixed.
TrustCor Systems Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Trustis Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
Web.com Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.
certSIGN Our ability to fulfill the commitments that we made in response to the January 2020 CA Communication has been impeded as described below. On point 4, Resolve entries in the “Intermediate Certs with Failed ALV Results” – these had been fixed through our current finalized audits, already closed by LSTI & E&Y.
eMudhra Technologies Limited Our responses to the January 2020 CA Communication have not changed, and we will meet these requirements according to the dates we previously specified.