April 2017 CA Communication

ACTION 12: PROBLEM REPORTING MECHANISM Please explain how your CA meets the following requirement from section 4.9.3 of the CA/Browser Forum's Baseline Requirements. "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means." Mozilla plans to make a central list of these mechanisms. Please detail both the mechanism and the location(s) where you publicly disclose this information. You are encouraged to make an email address at least one of your provided options.

CA Owner Response
AC Camerfirma, S.A. AC Camerirma offer a email address to provide this information. operaciones@camerfirma.com; gestion_soporte@camerfirma.com
Actalis Our problem reporting procedure is documented on out web site at the following address (see section "Problem reporting"): https://www.actalis.it/products/ssl-certificate.aspx The same procedure is also described in our CPS.
Amazon Trust Services We publish this information at https://www.amazontrust.com/repository/ "Reports of problems with certificates issued by Amazon may be submitted by emailing ats-tsp-requests[at]amazon.com."
Asseco Data Systems S.A. (previously Unizeto Certum) CPS section 4.9.3 (https://www.certum.eu/certum/179898.xml). Standardized contact form - https://www.certum.eu/certum/cert,contact_contact.xml.
Autoridad de Certificacion Firmaprofesional It is stated in the CPS and CP: an email address; info@firmaprofesional.com
Buypass We provide an online web service ('SSL Problem Reporting') where actors can report problems related to Certificates issued by Buypass. See https://www.buypass.com/ssl/support/ssl-problem-reporting.
Certicámara For our end users (not TLS) Certicamara offers a service called SSPS where they can administer all requirements for their certificates.
Certinomis / Docapost PDS are published : https://www.certinomis.fr/publi/cgu/CGU_SERV_v2.2.EN.pdf and also part of the application form. Section 1 gives infomation contact + email + postal adress + phone number + web form
China Financial Certification Authority (CFCA) We use 2 stage PROBLEM REPORTING MECHANISM 1, Service Hotline +86 400-880-9888 2,If file/evidence needed send mail to rc@cfca.com.cn Note that our Service Hotline serve Chinese - speaking Customer only, Non- Chinese speaking Customer should use the second method. (This method will be included in the next version of CPS) disclose location: our website www.cfca.com.cn
Chunghwa Telecom Our contact information is as follows: Domestic Toll-free phone: 0800080365 Address: ePKI Root Certification Authority, Public Certification Authority, ePKI EV SSL Certification Authrotiy of Chunghwa Telecom, Data Communication Building, No. 21, Hsin-Yi Road, Sec.1, Taipei City 10048, Taiwan, R.O.C. E-mail: caservice@cht.com.tw http://eca.hinet.net, http://publicCA.hinet.net or http://ev.hinet.net
ComSign Not Applicable
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) As it is stated in the CPS and CP: via web by opening a support tiquet on "http://suport.aoc.cat" or via phone calling "902901080" or "932722501"
Cybertrust Japan / JCSI CTJ is providing an e-mail address "jcsi-r@cybertrust.ne.jp" which is described in the repository page for JCSI-root: https://www.cybertrust.ne.jp/jcsi/repository.html (Please see the bottom of this page.) Sorry in Japanese, but it says the mail address is for reporting suspected Private Key Compromise, Certificate misuse, or any other matter related to Certificates. It also says 24 x 365 reception.
D-TRUST We provide services for Problem Reporting by eMail and phone with based on a ticket system , please see> https://www.bundesdruckerei.de/en/Contact
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Problem reporting is outlined in "https://www.s-trust.de/ablage_download_dokumente/ablage_pdf/agb_zertifizierungsdienstleistungen.pdf". Chapter 6, particularly 6.3, 6.4, 6.5 and chapter 8.
Dhimyotis / Certigna Terms and conditions describe this process at section 21. http://cgu.certigna.fr/en/CGU_CERTIGNA_SERVICES_CA.pdf http://cgu.certigna.fr/en/CGU_CERTIGNA_WILD_CA.pdf The report can be done through our website contact form at https://www.certigna.fr/contact.xhtml which proposes the following subject: “Certificate considered malicious or dangerous”.
DigiCert Instructions are at https://www.digicert.com/certificate-revocation.htm. Requests can be made through revoke@digicert.com..
Disig, a.s. Via e-mail to the e-mail address tspnotify@disig.sk Slovak version: http://eidas.disig.sk/sk/documents/ English version: http://eidas.disig.sk/en/documents/
DocuSign (OpenTrust/Keynectis) If the Websites trust bit is not set for your root certificates, write "Not Applicable". To be completed later when we have all the appropriate information.
E-Tugra A dedicated web page exists our helpdesk website (https://helpdesk.e-tugra.com.tr/index.php?type=submit_ticket) Our email address, and phone numbers exist on our websites for problem reporting.
EDICOM Certificate Practices Statement can be found at: https://acedicom.edicomgroup.com/en/archivos/politicas_caedicom/1_0/CAEDICOM01%20-%20CertificationPractices.pdf 4.9.3 REVOCATION REQUEST PROCEDURE The revocation request procedure of each type of certificate will be defined in the corresponding Certification Policy. In general terms, and notwithstanding that defined in the Certification Policies: • Remote requests for revocation will be accepted if they are digitally signed with a certificate from CAEDICOM or any other recognised Certification Service Provider theta issues Qualified Certificates. applications in person will be accepted if the user identification requirements set out for initial registration are fulfilled . • After revocation of the certificate, the certificate subscriber must destroy the private key corresponding to the same and not make use of the revoked certificate. There is a certificate revocation application form available on the ACEDICOM website: http://acedicom.edicomgroup.com A revocation request, whether submitted on paper or electronically, must contain the information described in the revocation request form included in each of the Certification Policies. Nevertheless, CAEDICOM is committed to immediately publish the new status of the certificate by means of CSP as soon as the reasons for the revocation requested are stated. Likewise, the certificate will be included in CRL lists published by CAEDICOM in the next CRL renewal cycle, with 24 hour regularity. Subscribers will be notified of the changes of status in their certificates by e-mail.
Entrust AffirmTrust has a link at https://www.affirmtrust.com/ssl/ to prompt an email to abuse@affirmtrust.com. This link is also provided in the CPS. Entrust has a webpage https://www.entrust.net/ev/misuse.cfm to support misuse. This link is also provided in the CPS.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) GDCA maintains a 24x7 certificate problems reporting and processing mechanism. The relying parties, judicial institutions, application software providers, anti-virus organizations and other third parties may contact GDCA timely through the following ways in case they found any suspicious problems in relation to the certificates, such as private key disclosure or suspicious disclosure, certificates abuse, the use of certificates to sign suspicious codes etc. Call: 95105813 E-mail to: webtrustreport@gdca.com.cn
GlobalSign We offer up several submission channels for the requirements listed in section 4.9.3, all are open to use by subscribers, relying parties, application software suppliers and any other third parties. The submissions channels are as follows: Abuse/misuse web form: https://www.globalsign.com/en/report-abuse/ Revocation request form: https://www.globalsign.com/en/repository/revoke.pdf Other web form https://support.globalsign.com/customer/portal/emails/new Abuse/misuse email: report-abuse@globalsign.com Other email: support@globalsign.com Livechat is offered throughout the commercial website as a valid reporting vector Regional phone numbers: https://www.globalsign.com/en/company/contact/ Regional postal address: https://www.globalsign.com/en/company/contact/
GoDaddy We accept problem reports via phone (+1.480.505.8852) and email (practices@starfieldtech.com). This information is published at the top of our repository – https://certs.godaddy.com/repository or https://certs.starfieldtech.com/repository
Google Trust Services LLC (GTS) In Section 4.9.3 of our CPS we provide the email address contact@pki.goog as means for contacting us and we inform about the factors that we consider when deciding whether to revoke a certificate or not. Further instructions are given in Subsections 4(b)-(c) of our Subscriber Agreement.
Government of Hong Kong (SAR), Hongkong Post, Certizen Subscribers may contact us and submit a certificate revocation request of their e-Cert to Hongkong Post by fax to +852 2775 9130, lettermail, email to enquiry@hongkongpost.gov.hk or in-person to report the case and revoke the certificate at any time for any reason. The information is publicly disclosed at the following location: http://www.hongkongpost.gov.hk/product/ecert/revocation/index.html
Government of Japan, Ministry of Internal Affairs and Communications If the Websites trust bit is not set for your root certificates, write "Not Applicable". We provide an e-mail address that we can contact to our homepae against unauthorized use of certifiates and other injustices etc.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Subscriber must sign and accept the certification contract, which includes the certificate police reference and the organization web, where we disclose our information and support contact. This is the way that our subscribers and other parties may notice us any incident or problem (revocation, key compromise, wrong data errors, etc..). That information appears in CPS too. The main email address is accv@accv.es, and the main telephone number is +34902482481.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) An email address: ceres@fnmt.es It is stated both in CPS and PDS documents. Information is publicly disclosed at www.cert.fnmt.es
Government of Taiwan, Government Root Certification Authority (GRCA) Please see our CA's web site repository or GCA CPS section 1.4.2 . Our contact information is as follows: Domestic phone: 02-2192-7111 (Tawian) Address: No. 21, Hsin-Yi Road, Sec.1, Taipei City 10048, Taiwan, R.O.C. E-mail: egov@service.gov.tw http://grca.nat.gov.tw/GRCAeng/index.html https://gca.nat.gov.tw/web2/index.html
Government of The Netherlands, PKIoverheid (Logius) Since the question mentions the BR which only applies to TLS certificates we’ve excluded two Trusted Service Providers (TSPs, issuing CAs) below (specifically, The Ministry of Defence and The Ministry of Infrastructure and the Environment who don’t issue TLS certificates within the Staat der Nederlanden Root CA aka PKIoverheid hierarchy) Parties who want to report a problem related to certificates have to contact the individual issuing CA's. Procedures how to contact them (in general, by email or phone) are described in the CPS document of each Trusted Service Provider (CA) operating within the PKIoverheid system. In short: KPN B.V: https://certificaat.kpn.com/downloads/, KPN PKIoverheid Certification Practice Statement, section 4.9.3. email: pkivalidation@kpn.com QuoVadis Trustlink B.V.: https://www.quovadisglobal.nl/Repository.aspx, QuoVadis CPS for Netherlands PKIoverheid - Services/Server v1.5, , section 4.5.2.2. Phone +31(0)302324320 during office hours, or +16512293456 for emergencies outside office hours. Also possible via email: support@quovadisglobal.com Digidentity B.V: https://www.digidentity.eu/nl/home/#requirements, CPS Digidentity PKIoverheid v1.9, sections 3.4, 4.9.2 and 4.9.3. During office hours: via email: info@digidentity.eu, or call +31(0)887 78 78 78 . Outside of office hours, call +31 (0)887 78 78 00 (only for subscribers). ESG de Electronische Signatuur B.V: https://www.de-electronische-signatuur.nl/nl/repository, Certification Practice Statement 7.3, section 4.9.3, call +31(0)495-566355 (only for subscribers) or contact via e-mail: info@de-electronische-signatuur.nl. CIBG: https://www.zorgcsp.nl/certification-practice-statement-cps, section 4.10.3 (for UZI-register) and 4.9.3 (for Zovar). Contact via E-mail: info@uzi-register.nl and info@zovar.nl In case of issues with certificates provided by multiple TSP's, or with the (issuing) intermediate CA certificates please email servicecentrum@logius.nl (see PKIoverheid CPS, https://cps.pkioverheid.nl, CPS PA PKIoverheid Reguliere Root v4.0, page 2).
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) SSL certificate revocation application shall be made by the organization representative with an approved official letter. In case of an urgent revocation, the organization representative may send the scanned approved official letter to Kamu SM from his corporate e-mail address and call Kamu SM for revocation. In this case, after the required authentication procedures, Kamu SM shall revoke the certificate. Kamu SM notifies the agency about revocation of its certificate via e-mail and the revocation is reflected to CRL and OCSP as described in Section 4.9.5. In case of revocation of root or sub CA certificates of Kamu SM, revocation status shall be announced to relevant parties as soon as possible. All certificates bearing signature of root or sub CA shall be revoked and their owners shall be duly notified via e-mail or SMS.
HARICA From Section 4.9.3.2 of HARICA's CP/CPS: "Any other entity can submit a revocation request via e-mail to ca@harica.gr with proof that: a) the private key of the certificate has been exposed, or b) the use of the certificate does not conform to the Certification Policy or c) the certificate owner’s relationship with the corresponding organization is terminated. All third-party revocation requests are investigated by HARICA before a revocation action is taken. After revocation, the Subscriber of the certificate will be informed of the change of status and the certificate shall not be reinstated".
IdenTrust Services, LLC For Subscriber, Relying Parties and other parties; IdenTrust provides a HTTP public page with information that includes: Phone number, our help desk email and chat. These mechanisms can be reached at: https://identrustssl.com/support.html For Application Software Providers, a problem reporting alias email is provided privately.
Internet Security Research Group (ISRG) Information is provided on these pages: https://letsencrypt.org/contact/ https://letsencrypt.org/repository/ The following email addresses are provided: security@letsencrypt.org cert-prob-reports@letsencrypt.org
Izenpe S.A. Every suscriber must accept the "Terms and Conditions" before we accept a certificate request, and within chapter 1 of this document all contact information is provided. Information is publicly disclosed in www.izenpe.eus.
Krajowa Izba Rozliczeniowa S.A. (KIR) This information is disclosed on our website: http://www.elektronicznypodpis.pl/en/information/how-to-suspend-or-revoke-the-certificate/ There is information and link to our contact form: If you have any information that might indicate: a compromise/ discredit of private key associated with the certificate issued by the KIR, misuse a certificate issued by KIR or usage a certificate by a non-entity, irregularities in the process of issuance of the certificate by KIR use of certificates for criminal please report us immediately via the contact form. http://www.elektronicznypodpis.pl/en/contact-us/contact-form/
LuxTrust If the These information are displayed on our website under the contact link : LuxTrust S.A. IVY Building 13-15 Parc d’Activités L-8308 Capellen Phone: +352 26 68 15 – 1 Fax: +352 26 68 15 – 789 Email: info@luxtrust.lu Support & Helpdesk Phone: + 352 24 550 550 E-mail: helpdesk@luxtrust.lu MO-FR from 08.00 to 18.00 The phone number + 352 24 550 550 is reachable 24*7.
Microsec Ltd. It is written in our CPS document in section 4.9.3. The CPS is available on our web page on the following link: https://e-szigno.hu/en/pki-services/certificate-policies-general-terms-and-conditions/ 4.9.3 Procedure for Revocation Request The Trust Service Provider ensures the following possibilities to submit a revocation request: • on paper signed manually at the customer service of the Trust Service Provider during office hours in person; • in an electronic form with an electronic signature based on a non-pseudonymous Certificate with a security classification not lower than the Certificate to be revoked (see section 1.2.3.); • signed manually, sent by post to the customer service. • Through the website of the Trust Service Provider 24 hours a day. The IT system of the Trust Service Provider shall process immediately the applications submitted through its website, the site shall inform the application submitter about the results of the evaluation. • Through a telephone hotline of the Trust Service Provider 24 hours a day. The administrator of the Trust Service Provider shall review the applications received on the Trust Service Provider hotline telephone within the duration of the call, and he shall notify the applicant about his decision. The Trust Service Provider verifies the authenticity of the request, and the submitter’s eligibility during the evaluation of the request. In case of submitting a personal request, the identification of the requester takes place according to section 3.2.3. In case of Certificate application signed with a valid electronic signature, there is no need for further verification of the identity of the applicant and the authenticity of the application. In case of submitting revocation application on paper, via mail the Trust Service Provider verifies the manual signature on the application. The reason for revocation shall be stated. If the revocation was requested by the Client, and it does not state the reason for revocation, then the Trust Service Provider considers that the reason for revocation is that the Subject does not want to use the Certificate anymore. If the Client asks for revocation due to key compromise, the Trust Service Provider ensures a possibility during the revocation process, to request a new Certificate in the framework of Re-key to replace the Certificate to be revoked. The rules for Re-key are in section 4.7. In case of a successful revocation the Trust Service Provider notifies the Subject and the Subscriber about the fact by e-mail.
NetLock Ltd. Information details in the PDS: http://www.netlock.hu/docs/dokumentumok/PDS.pdf 1. by phone, 0-24, trough the number +36 1 437 6655 (its 0-24 however the other CallCenter options than revocation (3) are accessible only in business time 2. by email, in business time: visszavonas@netlock.hu 3. personaly, in business time
PROCERT FINAL USER GENERATED THE KEYS, ALSO THE PROCERT CERTIFICATE PRACTISE STATEMENT , INCUDE INFORMATION ABOUT THIS PARTICULAR POINT (30.1.2.) WWW.PROCERT.NET.VE/DPC-PC
QuoVadis Instructions are at https://www.quovadisglobal.bm/DigitalCertificates/Revocation/. Additionally, requests can be made through complaince@quovadisglobal.com.
SECOM Trust Systems CO., LTD. It is stated in the CP and CPS. ra-support@secom.co.jp ca-support@ml.secom-sts.co.jp
SK ID Solutions AS We have published 24/7 contact information for all parties to inform us of any suspicions and revocations. Use cases for all parties to inform us are described in our terms and conditions published on our website.
Sectigo Mechanism: send email to sslabuse@comodo.com Location: section 4.9.2 of our CPS.
SecureTrust Certificate problem reports should be sent via email to sslsupport@trustwave.com. This email address is monitored regularly. Relying parties are directed to this contact method via the FAQ on our website (https://ssl.trustwave.com/support/support-faq.php). This address is also provided in our CPS, which is available at https://ssl.trustwave.com/CA. This URL is included in the Certificate Policies extension of all Trustwave TLS/SSL end entity certificates.
Start Commercial (StartCom) Ltd. web publication
SwissSign AG Every customer will accept the Terms an conditions when applying for a certificate. Within Chapter 8 of this document all circumdances and Actions to do by the customer are provided. Beginning with Juliy 2017 this will also be part of the PDS Document.
Swisscom (Switzerland) Ltd Certificate revocation is described in chapter 4.9 of our CPS: Revocation through the registration authority: - The certificate holder or the person, who represents the certificate holder, contacts the registration authority - The registration authority verifies the identity of the applicant, the application and the reasons for revocation. - After a successful check, the appropriate certificate is revoked by the registration authority - Swisscom publishes the updated CRL with the revoked certificates. Revocation can also be initiated through a Swisscom application: - https://www.swissdigicert.ch/sdcs/portal/page?node=cert_revoq
Symantec In addition to links placed throughout our web content linking to our problem reporting forms, we can provide these direct links: Symantec https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp Thawte https://www.thawte.com/about/contact/ssl-certificate-complaint.html GeoTrust https://www.geotrust.com/about/contact/ssl-certificate-complaint.html RapidSSL https://www.rapidssl.com/contact/ssl-certificate-complaint.html We also corrected a statement in the GeoTrust CPS limiting who can report a certificate problem to subscribers. In response to a post at Mozilla.dev.security.policy stating confusion about how to report a problem at the GeoTrust site, we increased visibility of our problem reporting links across all four sites.
T-Systems International GmbH (Deutsche Telekom) Website: Hotline (phone, mail), Online form CP/CPS: Hotline (phone, mail)
Taiwan-CA Inc. (TWCA) TWCA disclose the incident report contact information in the section 1.5.2 of CPS, which can be download from: https://www.twca.com.tw/picture/file/01301630-TWCA-GLOBAL-CPS-EN.pdf
Telia Company (formerly TeliaSonera) Telia's problem contact instructions are here: https://support.partnergate.sonera.com/palvelinvarmenneturvallisuus_en.html. Main contact methods are: email to cainfo@telia.fi or phone call to +358 800 156667
Trustis Trustis Certificate Revocation Guide http://www.trustis.com/pki/healthcare/Trustis-FPS-Healthcare-Revocation-Guide-v1.0.pdf provides clear details around problem reporting. This provides for email notification backed up by telephone contact if required. A mechanism is in place to provide 24/7 acceptance and response to revocation requests.
TurkTrust A specific web form is published on both the Turkish and English websites of TURKTRUST with the common link given below: https://onlineislemler.turktrust.com.tr/sertifikaGuvenlikSorunuBildirimFormu.xhtml Additionally, bilgi@turktrust.com.tr e-mail address is specified again on Turkish and English SSL web pages of TURKTRUST for problem reporting and any other SSL related inquiries.
Visa In our CPS section 4.9.3 we provide instructions and the contact information. It is available 24x7, and it is managed via Internal ticketing system as an Incident. Address: M2-10A, P.O. Box 8999, San Francisco, CA 94128 PKIPolicy@visa.com www.visa.com/pki
WISeKey Communications with the CA are stipulated in the CPS. In particular, WISeKey encourages the use of the mail addresses support@wisekey.com for end-customer support and cps@wisekey.com for problems related to the trust model
Web.com We have https://abuse.web.com/ for reporting abuse. Customers also can email sslsupport@networksolutions.com or call 1-877-228-1023 for any issue with their certs.
WoSign CA Limited We disclose the instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificatesour on our Website, in which we specify our email addresses, phone numbers and livechat. For English, the link is https://www.wosign.com/english/contact.htm For Chinese, the links is, http://www.wosign.com/contact/index.htm Email: abuse@wosign.com
certSIGN Instructions are provided in the CPS. Contact email address for reporting any matters regarding certificates is office@certsign.ro.