May 2020 CA Communication

SUB ITEM 3.1: Limit TLS Certificates to 398-day validity Last year there was a CA/Browser Forum ballot to set a 398-day maximum validity for TLS certificates. Mozilla voted in favor, but the ballot failed due to a lack of support from CAs. Since then, Apple announced they plan to require that TLS certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days, treating certificates longer than that as a Root Policy violation as well as technically enforcing that they are not accepted. We would like to take your CA’s current situation into account regarding the earliest date when your CA will be able to implement changes to limit new TLS certificates to a maximum 398-day validity period.
SUB ITEM 3.1 DATE
SUB ITEM 3.1 COMMENTS

CA Owner Response Response Response
AC Camerfirma, S.A. Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Actalis Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Jul 31 All CAs that are trusted in iOS/macOS are forced to comply with this Apple requirement, like it or not, as Apple declared that not complying will be regarded as a policy violation (although to date Apple's Root Certificate Program makes no mention of certificate lifetimes). As our root is trusted in iOS/macOS, we too are forced to comply.
Amazon Trust Services Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Asseco Data Systems S.A. (previously Unizeto Certum) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
Atos Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Autoridad de Certificacion Firmaprofesional Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Jul 31 The unilateral decision of Apple, against the results of the ballot, makes the CA/B Forum a little bit useless, from our point of view.
Buypass Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
China Financial Certification Authority (CFCA) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Chunghwa Telecom Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Other (please describe below) Although our CA still has the website bit enabled, we do not issue TLS Certificates since 1st-January-2020.The last one was issued in 27th-December-2019. Related bugs/information: https://bugzilla.mozilla.org/show_bug.cgi?id=1496616#c22 https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Cybertrust Japan / JCSI Our CA already limits TLS certificate validity period to 398 days or less.
D-TRUST Other (please describe below) We were forced to take this step because Apple announced a shortening of the certificate lifetime. As we want to offer our customers certificates that are of the greatest benefit to them we will implement the change until 31.08.2020. However, we do not see any security gain or other benefits by shortening the certificate lifetime.
Deutsche Telekom Security GmbH Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Dhimyotis / Certigna Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
DigiCert Other (please describe below) DigiCert: Our CA is able to implement change to 398 days or less validity by the date Mozilla specifies in their policy. Apple SubCA: Apple TLS Certificates currently have a maximum validity period of 825 days. After August 31, 2020, the maximum validity period will be 395 days.
Disig, a.s. Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 28
E-Tugra Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Entrust Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31 Our CA will comply with this Apple Root Program requirement because Apple has indicated our roots will be distrusted in Safari if we don’t comply. However, we do not support this policy change. The Forum has voted on this potential change two times, most recently in Ballot SC22, and both ballots failed. This means that limiting certificate validity to 398 days does not represent industry-consensus best practices. We have been hearing from website owners about this Apple root program change, including major enterprise website owners, and they are upset and want to know the reasons supporting this change. Some are concerned about the significant additional costs (doubling) to their budgets, and some also fear potential system instability from this change.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
GlobalSign Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1 GlobalSign is very concerned about the way Apple has announced their desired change. Root programs should not place binding requirements on CAs via email messages without corresponding root policy updates, or at a minimum, a blog or announcement that can be referenced as a an authoritative trusted source. It is not clear if that Apple new requirement is an official Apple root program policy, since neither the announcement of this change nor the Apple root policy has been updated to reflect this. GlobalSign plans to comply with the Apple root program.
GoDaddy Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Google Trust Services LLC (GTS) Our CA already limits TLS certificate validity period to 398 days or less.
Government of Hong Kong (SAR), Hongkong Post, Certizen Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Government of Taiwan, Government Root Certification Authority (GRCA) Other (please describe below) GRCA and its sub CAs do not issue any TLS certificates since 18-Seepteember 2019, and we will revoke all TLS certificates on 7/19/2020.
Government of The Netherlands, PKIoverheid (Logius) Our CA already limits TLS certificate validity period to 398 days or less. 2019 Nov 1
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 1
HARICA Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below.
IdenTrust Services, LLC Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Internet Security Research Group (ISRG) Our CA already limits TLS certificate validity period to 398 days or less.
Izenpe S.A. Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
Krajowa Izba Rozliczeniowa S.A. (KIR) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
Microsec Ltd. Other (please describe below) Microsec is already prepared for the change, it can be done within a very short period of time (up to a few days) after the decision is made. Microsec has not yet decided on a date from which the validity period of the issued TLS certificates will not exceed 398 days. The reason is, that the significant reduction in the validity period will result more frequent certificate issuance, this way more frequent data validation need. This will lead to a significant increase in the annual fee for certificates due to higher annual average labour cost (especially for OV and EV certificates). If Microsec introduced this change earlier than other CAs, its price would be less competitive. Microsec has decided to await the reaction of other CAs on this issue, as well as the decision of other root stores and software vendors. The change is expected to be done in the last days before the specified Apple deadline.
NetLock Ltd. Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
OISTE Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
QuoVadis Other (please describe below) QuoVadis is able to implement a change to 398-day maximum validity for TLS certificates by the date Mozilla specifies in its policy.
SECOM Trust Systems CO., LTD. Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Sep 1
SK ID Solutions AS Other (please describe below) Please note that SK has terminated issuance of TLS Server Certificates as of September 1st 2017 and therefore we are unable to meet this requirement. The last TLS certificate will expire in September 2020.
SSL.com Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Sectigo Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31 August 31st is the latest date by which we will implement this limit. We reserve the right to implement it sooner.
SecureTrust Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 30
Shanghai Electronic Certification Authority Co., Ltd. (SHECA) Our CA already limits TLS certificate validity period to 398 days or less.
SwissSign AG Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Taiwan-CA Inc. (TWCA) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Telia Company (formerly TeliaSonera) Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31 We can manage with the changes but we think that it is an unnecessary burden to our community and we should give more time to them to build their SSL automation, perhaps two more years. We are not aware of problems related to original domain ownership was lost so we can't see the benefits of this.
TrustCor Systems Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
Trustis Other (please describe below) End-entity certificate issuance under the current service has been discontinued.
Web.com Our CA already limits TLS certificate validity period to 398 days or less. August 31st is the latest date by which we will implement this limit.
certSIGN Our CA plans to limit TLS certificate validity period to 398 days or less for certificates issued after the date specified below. 2020 Aug 31
eMudhra Technologies Limited Our CA already limits TLS certificate validity period to 398 days or less.