May 2020 CA Communication

SUB ITEM 4.4 OCSP Requirements The proposal is to add the following text to section 4.9.10 of the BRs: “The validity interval of an OCSP response is the difference in time between the thisUpdate and nextUpdate field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds. For the status of Subscriber Certificates: 1. OCSP responses MUST have a validity interval greater than or equal to eight hours; 2. OCSP responses MUST have a validity interval less than or equal to ten days; 3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate. 4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate." And add the following text to section 7.1.2.3(c, authorityInformationAccess) of the BRs: “This extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2).” Note: This item is also being tracked in regards to directly updating Mozilla's Root Store Policy via https://github.com/mozilla/pkipolicy/issues/211.
SUB ITEM 4.4 DATE
SUB ITEM 4.4 COMMENTS

CA Owner Response Response Response
AC Camerfirma, S.A. Our CA already does this.
Actalis Our CA already does this.
Amazon Trust Services Our CA already does this.
Asseco Data Systems S.A. (previously Unizeto Certum) Our CA already does this.
Atos Our CA already does this.
Autoridad de Certificacion Firmaprofesional Our CA should be able to implement this by the date specified below. 2020 Jul 31 Currently, our nextUpdate value is 300 seconds (5 minutes). As we see it, making it bigger, to hours, even days does not seem at all an improvement neither from a technical security standpoint nor from a legal trust point of view, just on the contrary.
Buypass Our CA already does this.
China Financial Certification Authority (CFCA) Our CA already does this.
Chunghwa Telecom Our CA should be able to implement this by the date specified below. 2020 Jun 30
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Our CA should be able to implement this by the date specified below. 2020 Jul 29
Cybertrust Japan / JCSI Our CA already does this.
D-TRUST Our CA already does this.
Deutsche Telekom Security GmbH Our CA already does this.
Dhimyotis / Certigna Our CA already does this.
DigiCert Other (please describe below) DigiCert & Apple SubCA: If this change becomes effective, Apple and DigiCert will update our procedures to prior to the effective date.
Disig, a.s. Our CA already does this.
E-Tugra Our CA should be able to implement this by the date specified below. 2020 Jul 30
Entrust Other (please describe below) Our CA should be able to implement within 2 weeks from when the requirement changes. This requirement should be addressed with the CA/Browser Forum and if approved added to the BRs.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Our CA already does this.
GlobalSign nv-sa Our CA should be able to implement this by the date specified below. 2020 Jul 1
GoDaddy Our CA should be able to implement this by the date specified below. 2020 Jul 1
Google Trust Services LLC Our CA already does this.
Government of Hong Kong (SAR), Hongkong Post, Certizen Our CA already does this.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Our CA should be able to implement this by the date specified below. 2020 Jul 15
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Our CA already does this.
Government of Taiwan, Government Root Certification Authority (GRCA) Other (please describe below) GRCA and its sub CAs do not issue any TLS certificates since 18-Seepteember 2019, and we will revoke all TLS certificates on 7/19/2020. Our root cert will be removed from Mozilla's root store after 7/19/2020 Please see: https://bugzilla.mozilla.org/show_bug.cgi?id=1463975
Government of The Netherlands, PKIoverheid (Logius) Our CA already does this.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our CA already does this.
HARICA Our CA already does this.
IdenTrust Services, LLC Our CA should be able to implement this by the date specified below. 2020 Oct 14
Internet Security Research Group Our CA already does this.
Izenpe S.A. Our CA already does this.
Krajowa Izba Rozliczeniowa S.A. (KIR) Our CA should be able to implement this by the date specified below. 2020 Sep 1
Microsec Ltd. Our CA already does this.
NETLOCK Kft. Our CA already does this.
OISTE Our CA already does this.
QuoVadis Our CA already does this.
SECOM Trust Systems CO., LTD. Our CA already does this.
SK ID Solutions AS Our CA already does this.
SSL.com Our CA already does this.
Sectigo Our CA already does this.
SecureTrust Our CA already does this.
Shanghai Electronic Certification Authority Co., Ltd. Our CA already does this.
SwissSign AG Our CA already does this.
Taiwan-CA Inc. (TWCA) Our CA already does this.
Telia Company Our CA already does this. 2020 Jun 1 Our OCSP responses are in the limits.
TrustCor Systems Our CA already does this.
Trustis Other (please describe below) Our CA should be able to implement within 2 weeks from when the requirement changes.
Web.com Our CA already does this.
certSIGN Our CA already does this.
eMudhra Technologies Limited Our CA already does this.