| ACTION 11: CERTIFICATION AUTHORITY AUTHORIZATION (CAA) The CA/Browser Forum recently passed ballot 187, which updated the Baseline Requirements to make DNS Certification Authority Authorization (CAA) checking per RFC 6844 mandatory at time of certificate issuance in almost all circumstances. Please provide a list of the domain names which your CA plans to recognize in a CAA record's issue and issuewild property tags as permitting it to issue. Mozilla plans to make a central list of identifiers, so please explain if certain identifiers are only permitted under certain circumstances. |
|---|
| CA Owner | Response |
|---|---|
| AC Camerfirma, S.A. | camerfirma.com |
| Actalis | actalis.it |
| Amazon Trust Services | amazon.com amazontrust.com awstrust.com amazonaws.com We also may accept FQDNs which are subordinate to these names (for example aws.amazon.com) |
| Asseco Data Systems S.A. (previously Unizeto Certum) | At least certum.pl, certum.eu. |
| Autoridad de Certificacion Firmaprofesional | example.com. CAA 0 issue "firmaprofesional.com" |
| Buypass | buypass.com, buypass.no |
| Certicámara | Not applicable |
| Certinomis / Docapost | www.certinomis.com www.certinomis.fr |
| China Financial Certification Authority (CFCA) | cfca.com.cn |
| Chunghwa Telecom | cht.com.tw、echt.com.tw、chtr.org.tw、hinet.net、xuite.net、emome.net、goodscome.com、ienet.net.tw、twgate.net、ucampro.com、0800080412.com.tw are owned by our company. We hope SSL certificates of above domain Names are issued by our CA. |
| ComSign | Not Applicable |
| Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) | aoc.cat |
| Cybertrust Japan / JCSI | As mentioned above, CTJ currently does't issue any SSL/TLS certificates under JCSI-root currently. CTJ will provide a list of domain names in the case we start issuing SSL/TLS certificates under JCSI-root. |
| D-TRUST | d-trust.net ; d-trust.de ; d-trust.com ; bdr.de |
| Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) | Not Applicable |
| Dhimyotis / Certigna | No domain names to recognize. |
| DigiCert | digicert.com, although I may add misspellings of "Digicert" shortly. It happens a lot. |
| Disig, a.s. | disig.sk |
| DocuSign (OpenTrust/Keynectis) | If the Websites trust bit is not set for your root certificates, write "Not Applicable". docusign.fr |
| E-Tugra | e-tugra.com, e-tugra.com.tr |
| EDICOM | edicomgroup.com acedicom.edicomgroup.com |
| Entrust | For the Entrust brand, we will use entrust.net For the AffirmTrust brand, we will use affirmtrust.com |
| Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) | gdca.com.cn |
| GlobalSign | GlobalSign plans to use globalsign.com as the value we will recognize in CAA records. |
| GoDaddy | godaddy.com starfieldtech.com |
| Google Trust Services LLC (GTS) | symantec.com (currently in use for our enterprise intermediate, but will be going away as we shift to our root material) pki.goog google.com |
| Government of Hong Kong (SAR), Hongkong Post, Certizen | Domain owners can use "hongkongpost.gov.hk" in their CAA record, which if present we plan to check for it in our certificate issuance process. If the domain's CAA record is not present, we shall treat it as permission to issue. |
| Government of Japan, Ministry of Internal Affairs and Communications | If the Websites trust bit is not set for your root certificates, write "Not Applicable". There is no list right now. We will introduce it in the future. |
| Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | accv.es |
| Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | fnmt.es |
| Government of Taiwan, Government Root Certification Authority (GRCA) | gca.nat.gov.tw -->Government Certification Authority |
| Government of The Netherlands, PKIoverheid (Logius) | www.pkioverheid.nl |
| Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) | kamusm.gov.tr |
| HARICA | harica.gr |
| IdenTrust Services, LLC | identrust.com www.identrust.com |
| Internet Security Research Group (ISRG) | letsencrypt.org |
| Izenpe S.A. | We plan to define "izenpe.com" and "izenpe.eus" as identifiers |
| Krajowa Izba Rozliczeniowa S.A. (KIR) | We are planning to issue SSL/TLS certificates to all domains which we are able to identify and which weren't restricted for us by domain owner. |
| LuxTrust | This requirement is under analysis. |
| Microsec Ltd. | "e-szigno.hu" |
| NetLock Ltd. | netlock.hu netlock.net netlock.eu |
| PROCERT | PROCERT.NET.VE |
| QuoVadis | quovadisglobal.com |
| SECOM Trust Systems CO., LTD. | We are now still planning and decide it before the time required to conform. |
| SK ID Solutions AS | sk.ee |
| Sectigo | We recognize the following domain names in issue and issuewild property tags as permitting us to issue: comodo.com comodoca.com usertrust.com trust-provider.com |
| SecureTrust | Trustwave.com |
| Start Commercial (StartCom) Ltd. | startcomca.com, startssl.com |
| SwissSign AG | We have defined the string "swisssign.com" as an identifier, which must be set to allow us to issue certificates for the corresponding domain. |
| Swisscom (Switzerland) Ltd | "Not Applicable" |
| Symantec | Symantec’s list of domain names to be used in CAA records is: symantec.com, thawte.com, geotrust.com, rapidssl.com, volusion.digitalcertvalidation.com, stratossl.digitalcertvalidation.com, intermediatecertificate.digitalcertvalidation.com, and 1and1.digitalcertvalidation.com If we see any of these values in a CAA record, we interpret that as permission to issue a certificate from any of our CAs. |
| T-Systems International GmbH (Deutsche Telekom) | T-Systems: - telesec.de DFN: - pki.dfn.de - dfn.de |
| Telia Company (formerly TeliaSonera) | telia.com, telia.fi, telia.se |
| Trustis | The only domains the healthcare CA issues to is *.nhs.uk. We therefore need to engage fully with NHS as they control the DNS entries and arrangements by which such are controlled. In addition to the constraints for Mozilla, CABF etc. we are also subjected to NHS compliance requirements. It will take a little while to bring our dialogue with the NHS to conclusion. Once we know what the NHS plans are will be able to provide the information requested . |
| TurkTrust | Not implemented yet. |
| Visa | Not Applicable |
| WISeKey | wisekey.com, hightrusted.com, certifyid.com, oiste.org |
| Web.com | We plan to recognize the following domain names in issue and issuewild property tags as permitting us to issue: web.com networksolutions.com |
| WoSign CA Limited | wosign.com |
| certSIGN | certsign.ro |