April 2017 CA Communication

ACTION 11: CERTIFICATION AUTHORITY AUTHORIZATION (CAA) The CA/Browser Forum recently passed ballot 187, which updated the Baseline Requirements to make DNS Certification Authority Authorization (CAA) checking per RFC 6844 mandatory at time of certificate issuance in almost all circumstances. Please provide a list of the domain names which your CA plans to recognize in a CAA record's issue and issuewild property tags as permitting it to issue. Mozilla plans to make a central list of identifiers, so please explain if certain identifiers are only permitted under certain circumstances.

CA Owner Response
AC Camerfirma, S.A. camerfirma.com
Actalis actalis.it
Amazon amazon.com amazontrust.com awstrust.com amazonaws.com We also may accept FQDNs which are subordinate to these names (for example aws.amazon.com)
Asseco Data Systems S.A. (previously Unizeto Certum) At least certum.pl, certum.eu.
Autoridad de Certificacion Firmaprofesional example.com. CAA 0 issue "firmaprofesional.com"
Buypass buypass.com, buypass.no
Certicámara Not applicable
Certinomis / Docapost www.certinomis.com www.certinomis.fr
China Financial Certification Authority (CFCA) cfca.com.cn
Chunghwa Telecom cht.com.tw、echt.com.tw、chtr.org.tw、hinet.net、xuite.net、emome.net、goodscome.com、ienet.net.tw、twgate.net、ucampro.com、0800080412.com.tw are owned by our company. We hope SSL certificates of above domain Names are issued by our CA.
ComSign Not Applicable
Comodo CA We recognize the following domain names in issue and issuewild property tags as permitting us to issue: comodo.com comodoca.com usertrust.com trust-provider.com
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) aoc.cat
Cybertrust Japan / JCSI As mentioned above, CTJ currently does't issue any SSL/TLS certificates under JCSI-root currently. CTJ will provide a list of domain names in the case we start issuing SSL/TLS certificates under JCSI-root.
D-TRUST d-trust.net ; d-trust.de ; d-trust.com ; bdr.de
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Not Applicable
Dhimyotis / Certigna No domain names to recognize.
DigiCert digicert.com, although I may add misspellings of "Digicert" shortly. It happens a lot.
Disig, a.s. disig.sk
DocuSign (OpenTrust/Keynectis) If the Websites trust bit is not set for your root certificates, write "Not Applicable". docusign.fr
E-Tugra e-tugra.com, e-tugra.com.tr
EDICOM edicomgroup.com acedicom.edicomgroup.com
Entrust For the Entrust brand, we will use entrust.net For the AffirmTrust brand, we will use affirmtrust.com
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) gdca.com.cn
GlobalSign GlobalSign plans to use globalsign.com as the value we will recognize in CAA records.
Go Daddy godaddy.com starfieldtech.com
Google Trust Services (GTS) symantec.com (currently in use for our enterprise intermediate, but will be going away as we shift to our root material) pki.goog google.com
Government of Hong Kong (SAR), Hongkong Post, Certizen Domain owners can use "hongkongpost.gov.hk" in their CAA record, which if present we plan to check for it in our certificate issuance process. If the domain's CAA record is not present, we shall treat it as permission to issue.
Government of Japan, Ministry of Internal Affairs and Communications If the Websites trust bit is not set for your root certificates, write "Not Applicable". There is no list right now. We will introduce it in the future.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) accv.es
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) fnmt.es
Government of Taiwan, Government Root Certification Authority (GRCA) gca.nat.gov.tw -->Government Certification Authority
Government of The Netherlands, PKIoverheid (Logius) www.pkioverheid.nl
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) kamusm.gov.tr
HARICA harica.gr
IdenTrust identrust.com www.identrust.com
Internet Security Research Group (ISRG) letsencrypt.org
Izenpe S.A. We plan to define "izenpe.com" and "izenpe.eus" as identifiers
Krajowa Izba Rozliczeniowa S.A. (KIR) We are planning to issue SSL/TLS certificates to all domains which we are able to identify and which weren't restricted for us by domain owner.
LuxTrust This requirement is under analysis.
Microsec Ltd. "e-szigno.hu"
NetLock Ltd. netlock.hu netlock.net netlock.eu
QuoVadis quovadisglobal.com
SECOM Trust Systems CO., LTD. We are now still planning and decide it before the time required to conform.
SK ID Solutions AS sk.ee
Start Commercial (StartCom) Ltd. startcomca.com, startssl.com
SwissSign AG We have defined the string "swisssign.com" as an identifier, which must be set to allow us to issue certificates for the corresponding domain.
Swisscom (Switzerland) Ltd "Not Applicable"
Symantec Symantec’s list of domain names to be used in CAA records is: symantec.com, thawte.com, geotrust.com, rapidssl.com, volusion.digitalcertvalidation.com, stratossl.digitalcertvalidation.com, intermediatecertificate.digitalcertvalidation.com, and 1and1.digitalcertvalidation.com If we see any of these values in a CAA record, we interpret that as permission to issue a certificate from any of our CAs.
T-Systems International GmbH (Deutsche Telekom) T-Systems: - telesec.de DFN: - pki.dfn.de - dfn.de
Telia Company (formerly TeliaSonera) telia.com, telia.fi, telia.se
Trustis The only domains the healthcare CA issues to is *.nhs.uk. We therefore need to engage fully with NHS as they control the DNS entries and arrangements by which such are controlled. In addition to the constraints for Mozilla, CABF etc. we are also subjected to NHS compliance requirements. It will take a little while to bring our dialogue with the NHS to conclusion. Once we know what the NHS plans are will be able to provide the information requested .
Trustwave Trustwave.com
TurkTrust Not implemented yet.
Visa Not Applicable
WISeKey wisekey.com, hightrusted.com, certifyid.com, oiste.org
Web.com We plan to recognize the following domain names in issue and issuewild property tags as permitting us to issue: web.com networksolutions.com
WoSign CA Limited wosign.com
certSIGN certsign.ro