April 2017 CA Communication

ACTION 1: DOMAIN VALIDATION Update your CA's CP, CPS, and process documentation as necessary to clearly indicate the methods of domain validation that may be used. Currently, the only permitted methods of domain validation are those documented in section 3.2.2.4 of version 1.4.1 (and not any other version) of the CA/Browser Forum's Baseline Requirements (BRs) . Section 3.2.2.4 of version 1.4.1 of the BRs provides 10 different ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate, and your CP/CPS must clearly specify the procedures that the CA employs. Each documented procedure should state which subsection of 3.2.2.4 it is complying with. Note that version 1.4.2 of the BRs does not contain all 10 of these methods, but it does contain section 3.2.2.4.11, "Other Methods", so the methods that were removed in version 1.4.2 of the BRs are still BR-compliant under that version. By Mozilla policy, CAs are not permitted to rely on the "Other Methods" section to use methods of domain validation that are not among the 10 listed in section 3.2.2.4 of version 1.4.1 of the BRs. The IPR issues relating to the missing methods have been resolved, so Mozilla expects that they will soon be restored. When they are, Mozilla's policy will once again be that we accept all of the methods of domain validation explicitly listed in the latest version of the BRs. Please enter the date by which your CP/CPS will be updated to meet the above requirements (use format MM/DD/YYYY). Date must be before July 21, 2017. If your CA's included root certificates do not have the Websites trust bit enabled, then use the date 01/01/2015.
ACTION 1 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. 2017 Jul 20 AC Camerfirma is adapting its CPS and CP to eIDAS regulation, including the management of qualified certificate for website authentication.We have at the moment in conformity assessment process.
Actalis 2017 Jun 30 None
Amazon Trust Services 2017 Jul 20
Asseco Data Systems S.A. (previously Unizeto Certum) 2017 Apr 21
Atos 2017 Jun 30
Autoridad de Certificacion Firmaprofesional 2017 Jun 30 Currently Firmaprofesional is adapting its CPS and CP to eIDAS regulation, including the management of qualified certificate for website authentication.
Buypass 2017 Jul 20
Certicámara 2017 Jul 7
Certinomis / Docapost 2017 Jun 30
China Financial Certification Authority (CFCA) 2017 Jul 20
Chunghwa Telecom 2017 Jul 20 Last year, we had updated the domain validation method in accordance with the CABF Ballot 169 that we may use in our new CPS and our Policy Management Authority (PMA) had approved the new CPS. The new CPS was supposed to be further submitted to the competent authority (Ministry of Economic Affairs) in Taiwan for final approval. However, there were IPR issues for CABF ballot 169, so we suspended submitting of the updated versions of CPS to the competent authority. We hope CA/Browser Forum ballot 190 can be passed so that the methods of domain validation that may be used will soon be restored. If CABF passes ballot 190 in May 2016, we will submit our new CPS to the competent authority again, and it is anticipated that the new CPS can become effective before 08/31/2017
ComSign 2015 Jan 1
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) 2017 Jul 13 Currently Consorci AOC is adapting its CPS and CP to eIDAS regulation, including the management of qualified certificate for website authentication.
Cybertrust Japan / JCSI 2017 Jul 20 To meet above requirement, we Cybertrust Japan(CTJ) will update our CPS for JCSI-root, but please note that CTJ currently doesn't issue any SSL/TLS certificates under JCSI-root. In our CPS for the JCSI-root, CTJ wrote the same thing such as JCSI-root has no Subordinate CA and therefore CTJ will not issue/revoke subscriber certificates under Sub-CA under the current CPS. So, we'll update the CPS to indicate the methods of domain validation that may be used when CTJ start issuing SSL/TLS certs.
D-TRUST 2017 Jul 14
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) 2017 Jun 7 We do not issue SSL/TLS certificates. Therefore there is no Domain Validation and no corresponding description in the CP/CPS.
Dhimyotis / Certigna 2017 Apr 18 Certigna’s RA is using the 3.2.2.4.5 method of domain validation. That's described at section 3.2.3 of Certification policies and more explicitly at section 4.2.1.
DigiCert 2017 Jul 20
Disig, a.s. 2017 May 31
DocuSign (OpenTrust/Keynectis) 2017 Jul 21
E-Tugra 2017 Jun 30 Current Domain Name verification methods are explained in current CPS. It will be revised with new BR items.
EDICOM 2017 May 8 ACEDICOM hav been always using method: 3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact
Entrust 2017 Jul 14
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) 2017 Apr 20
GlobalSign 2017 Jun 30
GoDaddy 2017 Jun 1 Our CPS dated 1-Mar, 2017 currently describes each method we use in clear BR language, but without explicit mapping to the section numbers. That mapping will be added in our next update.
Google Trust Services LLC (GTS) 2017 Jul 14
Government of Hong Kong (SAR), Hongkong Post, Certizen 2017 Jul 21 Nil
Government of Japan, Ministry of Internal Affairs and Communications 2017 May 31 If needed, use this space to provide further explanation about the date by which your CP/CPS will be update to meet Mozilla's requirements about domain validation. There are no changes for domain verification at this time.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) 2017 Jul 20
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) 2017 Jul 20
Government of Taiwan, Government Root Certification Authority (GRCA) 2017 Jul 20 We my use one or more of methods in 3.2.2.4.3, 3.2.2.4.6 and 3.2.2.4.8 in SSL BR V1.4.1.
Government of The Netherlands, PKIoverheid (Logius) 2017 Jul 20
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) 2017 Jun 20
HARICA 2017 Jul 21
IdenTrust Services, LLC 2017 Jul 21
Internet Security Research Group (ISRG) 2017 Jun 30
Izenpe S.A. 2017 Jun 15
Krajowa Izba Rozliczeniowa S.A. (KIR) 2017 Jun 30
LuxTrust 2017 Jul 17
Microsec Ltd. 2017 Jul 21 Our CPS already fulfils the requirement, the only thing which missing is the exact statement for the subsection of 3.2.2.4 it is complying with.
NetLock Ltd. 2017 Jul 20
OISTE 2016 May 19 The used methods are already in compliance with the requirement, as specified in section 14.2.2 of the CPS
PROCERT 2017 Jan 6
QuoVadis 2017 Jun 30 Confirmed
SECOM Trust Systems CO., LTD. 2017 Jul 21
SK ID Solutions AS 2016 Jul 1
Sectigo 2017 Jul 20
SecureTrust 2016 Jun 22 Beginning with version 4.5 of our CPS, effective on the above date, we broke out section 3.2.2.4 in sub-items matching the BR sections that we use, both numerically and with section headings that match the corresponding sections in the BRs.
Start Commercial (StartCom) Ltd. 2017 Apr 10
SwissSign AG 2017 Jun 30
Swisscom (Switzerland) Ltd 2015 Jan 1 Swisscom stopps issuing SSL certificates. The websites trust bit will be removed - see https://bugzilla.mozilla.org/show_bug.cgi?id=1359515
Symantec 2017 Jul 20 We will update our current CABF BR domain validation method references to list the 10 specific methods by July 20, 2017. We may elect to use any of the permitted methods at any time. Our use, implementation, and interpretation of the methods are subject to change over time.
T-Systems International GmbH (Deutsche Telekom) 2017 Jul 20
Taiwan-CA Inc. (TWCA) 2017 Jun 30 TWCA will update the domain validation method in CPS to comply with BR 1.4.1.
Telia Company (formerly TeliaSonera) 2017 Jun 30
Trustis 2017 Jun 30
TurkTrust 2017 Jul 20 Currently the domain validation methods applied are documented in the relevant TURKTRUST internal procedures. These will also be included in the CP and CPS by the date indicated above.
Visa 2017 Mar 31 The Domain validation methods are listed under 3.2.2 of our current CP/CPS.
Web.com 2017 Jul 20
WoSign CA Limited 2017 Jul 21
certSIGN 2017 Jul 20