April 2017 CA Communication

ACTION 13: SHA-1 and S/MIME Does your CA issue SHA-1 S/MIME certificates? If so, please explain your plans for ceasing to do so, and any self-imposed or external deadlines you are planning to meet. Mozilla plans to make policy in this area in the future, so please explain any facts or constraints which you think might be relevant to our considerations.

CA Owner Response
AC Camerfirma, S.A. Ac Camerfirma still issue smime sha1 certificates only for a few customers that wasn't able to change their systems to sha256. AC Camerfirma is working with these costumers to change before July
Actalis Our S/MIME certificates are signed with SHA-256.
Amazon Trust Services We do not issue SHA-1 S/MIME certificates.
Asseco Data Systems S.A. (previously Unizeto Certum) SHA-1 S/MIME certificates will be issued until the end of 2017. However, CERTUM provides S/MIME SHA-2 as well.
Atos We do not issue SHA-1 S/MIME certificates in this Root CA Environment
Autoridad de Certificacion Firmaprofesional Not Applicable
Buypass Not Applicable.
Certicámara It does not issues anything SHA-1 anymore.
Certinomis / Docapost Not Applicable
China Financial Certification Authority (CFCA) Not Applicable
Chunghwa Telecom We plans to cease to issue SHA-1 S/MIME certificates by September 1, 2017. But we need to communicate with those stakeholders. Their certificate validatiy period is one year.These S/MIME certificates are using for reciving encrypted Stock statement or Stock trading.
ComSign Our CA does not issue SHA-1 S/MIME certificates
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Not Applicable
Cybertrust Japan / JCSI No. CTJ issues no SHA-1 S/MIME certificate under JCSI-root.
D-TRUST Not Applicable
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Not Applicable
Dhimyotis / Certigna Our CA does not issue SHA-1 S/MIME certificates.
DigiCert We do. We plan to deprecate on Dec 31, 2017, but aren't opposed to a policy that accelerates this.
Disig, a.s. We don't issue SHA-1 S/MIME certificates.
DocuSign (OpenTrust/Keynectis) If none of your roots have the Email trust bit set, write "Not Applicable". We have not issued such certificates since April 2016.
E-Tugra E-Tugra does not issue Sha1 S/Mime Certificates
EDICOM "Not Applicable".
Entrust No, Entrust and AffirmTrust do not issue SHA-1 S/MIME certificates.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Not Applicable.
GlobalSign GlobaSign has SHA-1 S/MIME service today. We are encouraging our customers to migrate to SHA-2 S/MIME. However some legacy Email systems cannot handle SHA-2. Because Email system is fundamental core system and company-wide infrastructure, it takes long time to replace/upgrade for our customers. We need to continue to provide SHA-1 certificate for such customers. It is difficult to say a clear due date, but we campaign for this, and we expect to remove SHA-1 S/MIME service within one year or such time frame.
GoDaddy Not Applicable
Google Trust Services LLC (GTS) We do not currently issue S/MIME, but plan to do so in the future. We will not be issuing SHA-1 S/MIME certificates.
Government of Hong Kong (SAR), Hongkong Post, Certizen Not Applicable as our root does not have the Email trust bit set.
Government of Japan, Ministry of Internal Affairs and Communications If none of your roots have the Email trust bit set, write "Not Applicable". Not Applicable
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) We don’t issue SHA-1 certificates of any kind.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Not Applicable
Government of Taiwan, Government Root Certification Authority (GRCA) Not any more since 2013
Government of The Netherlands, PKIoverheid (Logius) Under our current G2, G3 and EV Root CAs we only issue SHA-256 certificates.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our CA does not issue SHA-1 S/MIME certificates
HARICA HARICA issues S/MIME Certificates but does not use the SHA-1 hashing algorithm.
IdenTrust Services, LLC Yes. IdenTrust issues SHA-1 S/MIME certificate from its DST Root CA X3. IdenTrust does not issue SHA-1 S/MIME from its Commercial CA 1 nor Public CA 1 roots. An ongoing migration plan is in place to get all our S/MIME customer to the SHA-256 technology. The salient dates/milestones are: * Start SHA-256 OCSP responses/CRLs: by July 1, 2017. * Stop issuance of all SHA-1 SMIME certificates: No later than September 16, 2017. * Renewal/expiration/revocation of all outstanding SHA-1 SMIME: September 16, 2018.
Internet Security Research Group (ISRG) Not Applicable
Izenpe S.A. We don’t issue SHA-1 S/MIME certificates
Krajowa Izba Rozliczeniowa S.A. (KIR) No.
LuxTrust "Not Applicable".
Microsec Ltd. Microsec CAs do not issue any SHA-1 certificates.
NetLock Ltd. Not Applicable
PROCERT PROCERT DON'T ISSUE CERTIFICATE UNDER SHA1 SINCE 2010.
QuoVadis QuoVadis has a limited number of customers who still issue SHA-1 personal certificates that could be used for S/MIME due to limitations on their side which are being addressed. Steps are underway to transition these customers to SHA-256 CAs during the summer 2017.
SECOM Trust Systems CO., LTD. We do not have plans for ceasing SHA-1 S/MIME certificates due to the environment of our customers right now. More careful consideration is needed for shift to SHA-2. On the other hand, all of our SHA-1 TLS/SSL certs were expired or revoked.
SK ID Solutions AS Not Applicable
Sectigo Yes, we still issue SHA-1 S/MIME certificates. We don't yet have a firm date by which we intend to cease doing so.
SecureTrust We do not issue SHA-1 S/MIME certificates.
Start Commercial (StartCom) Ltd. No
SwissSign AG Not Applicable
Swisscom (Switzerland) Ltd "Not Applicable"
Symantec We currently offer SHA-1 S/MIME certificates that chain to roots in Mozilla’s root store. We plan to phase out this offering by CY-Q3-2017.
T-Systems International GmbH (Deutsche Telekom) We did not issue any SHA-1 certificates after Q1/2016. Issued SHA-1 certificates (unrevoked) are valid until the end of the validity period.
Taiwan-CA Inc. (TWCA) TWCA do not have plan to sun setting the SHA-1 S/MIME certificate because some applications of our customer do not support SHA-1 hash algorithm. If the Root CA policy has clear SHA-1 deprecated date, that we could use this excuse to convince our customer to upgrade their application to support SHA-2 algorithm and let us remove any SHA-1 support from our CA system.
Telia Company (formerly TeliaSonera) No publicly trusted SHA-1 SMIME certificates since 11/2014.
Trustis Not applicable
TurkTrust TURKTRUST does not issue SHA-1 S/MIME certificates.
Visa Yes, by our Visa Information Delivery CA. Visa issues S/MIME certificates to employees who have requirements to sign and encrypt confidential emails. We will monitor and follow any future industry standard and requirements for this type of certificate.
WISeKey WISeKey's certificates are recognized by the Peruvian government, and it's only in mid-2017 that the new intermediate certificates issuing SHA-256 certificates will be included in the TSL. This forces us to still issue SHA-1 personal certificates which are enabled for S/MIME. We expect to remove this dependency in 2017 and only issue SHA-256 S/MIME certificates at some point during 2017.
Web.com Not Applicable
WoSign CA Limited We have decided to completely stop issuing SHA-1 S/MIME certificates on July 1st, 2017.
certSIGN No, we issue SHA-256 S/MIME certificates.