CA Responses to May 2015 CA Communication

A-Trust

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~https://cert.webtrust.org/ViewSeal?id=1803 https://cert.webtrust.org/SealFile?seal=1803&file=pdf
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We will stop issuing SHA-1 SSL certificates once the new root certificate (that is needed for SHA-2) is included in Firefox. We will update all our clients certificates to SHA-2 and will revoke all SHA-1 certificates at the end of the year.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~final tests in progress

AC Camerfirma, S.A.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing SHA1 SSL in December 2015. We have issued about 200 certificates beyond 2017 We plan to revoke all SSL SHA1 certificates by December 2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix5. OCSP responses for subscriber certificates have an expiration time greater than ten days.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above5.- We not used nextupdate because we get certificate revokation information from a data base. Nevertheless we will change this parameter. 9.- At the moment we do not issue certificate with this problem, but we have issued 748 certificates with no SAN information. The last certificate issued expire in 4th/May/2018
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Actalis

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsB) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. In the past, we did issue SHA-1 SSL certificates that were valid beyond January 1, 2017, but they have all now been revoked.
Action
Response
ACTION #3: ~ Text Input ~We are no longer issuing SHA-1 SSL certificates with a notAfter date beyond January 1, 2017. In the past, we did issue some SHA-1 SSL certificates that were valid beyond January 1, 2017, but they have all now been revoked.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveNone, as far as we know.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Amazon Trust Services

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~Amazon has never issued SHA-1 SSL certificates. We do not currently have plans to do so, but may do so up until December 31, 2015. We are aware of the Mozilla changes, including the "Untrusted Connection" message.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe may issue certificates with RSA subject public keys without keyEncipherment in cases where the server is required to use Diffie-Hellman key exchange.
Action
Response
ACTION #5: Support for IPv6B) We support IPv6 for all OCSP servers but not CRL servers.
Action
Response
ACTION #5: ~ Text Input ~We will be adding IPv6 support for CRL servers in 2016.

Asseco Data Systems S.A. (previously Unizeto Certum)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~Audit 2015 will be completed by the end of June.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~Plan to stop issuing SHA-1 SSL certificates by December 31, 2015. Have issued 1116 SHA-1 SSL certificates that are valid beyond January 1, 2017. Plan to revoke them by December 31, 2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~The work to support IPv6 is not currently scheduled, but the intention is to add this support in the near future.

Atos

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~All of our infrastructure and components/product supports IPv6, but we have no productive use cases and practical experience.

Autoridad de Certificacion Firmaprofesional

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~It has been long discussed the need to have an audit statement of the BR when there are already available one of the WT4CA and other of the WTEV, and as soon as it has been clarified its need we have budgeted it, so the approved budget for actions to be taken during 2015 (approved in late 2014) includes ISO9K and 27K (to be done in September 2015), WT4CA, WTBR and WTEV (to be done in December 2015) so we plan to have an audit statement at the end of the present year.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have issued 27 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 2015.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix3. The pathLenConstraint field is included when the cA boolean is false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above3. The pathLenConstraint field is included when the cA boolean is false: 186 certs. 9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName 156 certs.
Action
Response
ACTION #5: Support for IPv6A) We support IPv6 for all our CRL and OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~Theoretically, since all network hardware is ready. However, we have not yet tested them.

Buypass

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We issue SHA256 SSL certificates as default, but are able to issue SHA-1SSL certificates for customers on demand. Such SSL certificates shall not be valid beyond January 1, 2017. We plan to stop issuance of SHA-1 SSL certificates by January 1, 2016. We have issued 4 SSL certificates with validity beyond January 1, 2017 and these will be revoked by January 1, 2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan to support IPv6 for both our CRL and OCSP servers by Q1 2016.

Certicámara

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~Our root certificate for Websites trust bit was turned off in Firefox 32, because we are issuing the SSL/TLS certificate with Symantec platform as an authorized partner. Our root continues in the listed CAs because we continue issuing certificates for individuals with digital signature attributes, that can be used to sign mail messages.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~There is no action required, because we don't issue SSL/TLS certificates that chain up to our root certificates in Mozilla's program.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveThere is no action required, because we don't issue SSL/TLS certificates that chain up to our root certificates in Mozilla's program. Also the certificates issued for digital signature does not have any of the mentioned workarounds because it not need it.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so before January 1, 2017

Certinomis / Docapost

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~We plan to send Mozilla our current public-facing Baseline Requirements audit statement by end of June. Our audit renewal is finished but it takes some delay to obtain the audit letter in english signed by LSTI. I'll provide the copy of the letter as soon as available.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued a few number of SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by January 1, 2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected abovenone
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so next year (2016).

China Financial Certification Authority (CFCA)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

China Internet Network Information Center (CNNIC)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~http://cnnic.cn/jczyfw/fwqzs/fwqzsrzjzz/
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have 2 Root which in Mozilla program, CNNIC ROOT and CNNIC EV ROOT. 3 intermediate cert chain to CNNIC ROOT, CNNIC SSL, CNNIC DQ SSL and CNNIC SHA256 SSL. CNNIC SSL stopped issuing cert as the CNNIC SHA256 SSL issue SHA256 cert from Jan 28, 2015. 1 intermediate cert (CNNIC EV SSL) chain to CNNIC EV ROOT is still issuing SHA1 cert. We plan to upgrade EV SSL and DQ SSL to issue SHA256 cert this year.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe never issued cert in 1,8,9,10,11. Regarding 2 and 3, the cert CNNIC issued for End-endity, we have basicConstrains with Subject Type=End Entity Path Length Constraint=None. Regarding 4,5,6,7, we need confirm from our RD team and update to you later.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Chunghwa Telecom

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31,2015. We have issued 311 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 31,2015.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so by March 31,2016.

ComSign

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~https://bugzilla.mozilla.org/attachment.cgi?id=8598250
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~1 certificate. will be revoked by Dec 2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix3. The pathLenConstraint field is included when the cA boolean is false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above- We issued 30 certificate with those two problems. - The last issuance date was November 3rd, 2014. - The last certificate to expire will be on November 3rd, 2017.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Consorci Administraci├│ Oberta de Catalunya (Consorci AOC, CATCert)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~It has been long discussed the need to have an audit statement of the BR when there are already available one of the WT4CA and other of the WTEV, and as soon as it has been clarified its need we have budgeted it, so the approved budget for actions to be taken during 2015 (approved in late 2014) includes ISO9K and 27K (to be done in September 2015), WT4CA, WTBR and WTEV (to be done in December 2015) so we plan to have an audit statement at the end of the present year.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~D) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 31/12/2015. We have issued 825 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by 31/12/2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveAll of our certificates containing non printablestring characters is issued with teletextstring. The last one of them will be issued by 31/12/2015 due to technology change. The last one will expire by 31/12/2019.
Action
Response
ACTION #5: Support for IPv6C) We support IPv6 for all CRL servers but not OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~Theoretically, since all network hardware is ready. However, we have not yet tested them.

Cybertrust Japan / JCSI

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementE) We do not have a current public-facing Baseline Requirements audit statement for this root certificate, because [explain reason below -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed].
Action
Response
ACTION #2: ~ Text Input ~CTJ has not yet issued a SSL/TLS certificate under our JCSI root as wrote in our CPS below: > Under this JCSI Root CA Certification Practice Statement (this "CPS") > Version 1.0, the Certification Authority shall not issue/revoke > certificates based on applications of the Subordinate CA. Thus, the > Certification Authority shall issue/revoke certificates upon amending > this CPS. CTJ are still planning to amend our CPS at next phase in order to issue a SSL/TLS certificate, but the date has not been fixed yet. So, as we did last year, we will conduct the WebTrust for CA audit in Jun this year, but still not for BR.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected abovenothing
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~When we amend our CPS and issue a SSL/TLS certificate at our next phase, we'll support IPv6 for all our CRL and OCSP servers.

D-TRUST

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~The BR+ETSI TS 102 042 Auditstatement is up to date. We additionaly requested a third Root for inclusion, used for secure eMail, please see Bug 11 66 723
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We have to update our Intrusion Detection System, this update will be part of the Audit scope and will need some time.

Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementD) The websites (SSL/TLS) trust bit is not enabled for our certificates that are included in Mozilla's CA program.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~We do not issue any SSL-certificates.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe do not issue any SSL-certificates.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Dhimyotis / Certigna

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

DigiCert

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~January 1, 2017 565 January 1, 2017
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~January 1, 2016 for CRL and OCSP servers

Disig, a.s.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan support IPv6 after broader implementation of this protocol from the ISP in our region.

DocuSign (OpenTrust/Keynectis)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing SHA-1 SSL certificates by end of December 2015. We do not have yet a planned date to revoke them. On the 11th of May, we have issued 506 SHA-1 SSL certificates still valid after the 1st of January 2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix7. Delegated OCSP response signing certificate expires before the OCSP response expires.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix8. RSA SSL/TLS end-entity certificates that have a KeyUsage extension does not include keyEncipherment in the KeyUsage extension.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveFor #8, this was associated to national requirements: 11 valid certificates are concerned. This topic should terminate by May 2016 with the expiration of the last certificate with this behavior.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~We would like to support IPV6 but the front infrastructure we rely on for CRL and OCSP does not yet support IP V6. We will be able to support IP V6 when this infrastructure will allow us to do so.

E-Tugra

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~01.01.2017

EDICOM

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~

Entrust

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~Will stop issuing SHA-1 certificates before 1 January 2016. We currently have 17196 SHA-1 certificates expiring after 2016. We do not plan to revoke any SHA-1 certificates.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~We support IPv6 for all of our CRL and OCSP servers; however, we do not support IPv6 for our DNS.

GlobalSign

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~(It is actually none of the above but the survey will not save unless one of the choices is made - i.e. We do not yet plan on the revocation step so choice (D) is the closest) We have 36,335 SHA1 certificates that expire after Jan 1 2017 but as revocation is not mandatory and one customer has 25% of the volume of those certificates for use in a non browser environment for client/server communication. Please note that these totals do not include certificates issued by customers in the Trusted Root Program through Name Constrained CA's which have been signed by GlobalSign. This will take longer to gather however we estimate numbers to be much smaller as the majority of customers have been transitioned to SHA256 chains and end entity certificates.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above10. This questionnaire does not specifically refer to SSL/TLS, so we are going to have to say yes, as IA5String is used in all cases where E=email within the DirectoryString. This does not happen for SSL/TLS certificates. See page 24 of RFC5280 that allows this. So if the intention is to focus on SSL then indeed we don't use IA5 but if the intention is to ask if IA5 is used then yes we do and yes lots of other CA's do too.
Action
Response
ACTION #5: Support for IPv6A) We support IPv6 for all our CRL and OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~

GoDaddy

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by Jan 1, 2016. We have issued 160,000 SHA-1 SSL certificates that are valid beyond January 1, 2017 and are currently not revoked. We presently have no plans to revoke these certificates.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe have 569,000 valid, unrevoked certificates containg this flaw. The last of these expires on May 9, 2021; however, the last signed with SHA-2 expires on May 1, 2019.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so by Jan, 2016.

Government of France (ANSSI, DCSSI)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~31/12/2015; 1 109; 31/12/2016
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix1. Intermediate certificate has an EKU and will be used for SSL, but does not have the id-kp-serverAuth EKU.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix11. Encoding used for name constraints is not the same as the encoding used for alternative names.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix8. RSA SSL/TLS end-entity certificates that have a KeyUsage extension does not include keyEncipherment in the KeyUsage extension.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix6. Timezones in certificates not specified as "Z" (Zulu/GMT).
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix4. OCSP responders include a responseExtensions consisting of an empty SEQUENCE.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected abovenumber of existing certificates : 580 last of those certificates expire in the middle of 2017
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Government of Hong Kong (SAR), Hongkong Post, Certizen

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~We plan to send Mozilla our current public-facing Baseline Requirements audit statement by March 2016. We have just completed an independent assessment on the current status in meeting the BRs in February 2015. According to our plan, we will implement system changes in Q3/2015 to conform with BRs that is not yet in compliance with. Thereafter, a reasonable audit period should be allowed to show full performance.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 31 Dec 2015. We have issued less than 50 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by 31 Dec 2016. Besides, SHA-1 SSL certificates with 1-year validity period will only be issued upon written request now until 31 Dec 2015. And we have been issuing SHA-256 SSL certificates by default starting from 1 January 2015.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Government of Japan, Ministry of Internal Affairs and Communications

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~We will submit readiness assessment report of the BR audit in September.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix5. OCSP responses for subscriber certificates have an expiration time greater than ten days.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe have OCSP for Root and Sub. And OCSP server for RootCA get RootCA's crl, and OCSP server for RootCA set next update of RootCA's crl to nextupdate on OCSP Responses. It is conformed with RFC2560. RootCA's crl is within 90 days. apply to #5? Well, I have a question. When connecting to an https server at www2.gpki.go.jp by Firefox 37.0.1 on Windows7 SP1 32bit, as far as seeing outgoing packets captured locally at the client, Firefox seems to have sent OCSP request of the SSL certificate to the responder at http://ocsp-sub.gpki.go.jp. While it does not seem to send any requests for validating ApplicationCA2 Sub's certificate, which is an issuer of the SSL certificate. Could you teach me if the behavior above on OCSP validation is a design of Firefox?
Action
Response
ACTION #5: Support for IPv6C) We support IPv6 for all CRL servers but not OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~

Government of Spain, Autoritat de Certificaci├│ de la Comunitat Valenciana (ACCV)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsB) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. In the past, we did issue SHA-1 SSL certificates that were valid beyond January 1, 2017, but they have all now been revoked.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected abovewe had issued the certificates with basic_constraint extension explicitly encoded to the default value end_entity. When we read the policy and realized the error, we stop issuing it but we have still active certificates issued to this value. We have about 300 active certificates with this problem. The last expire in mid-2017.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so before the end of the first quarter of 2016

Government of Taiwan, Government Root Certification Authority (GRCA)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~Taiwan government will get Baseline Requirements audit down in this year. Due to the requirement of CA/Browser forum, we add baseline requirements audit in our audit schedule this year. Thus we have to make a little adjustment on our annual audit schedule. Therefore, it takes us more time to complete procurement procedure(for auditing).
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~we are now issued 486 SHA-1 SSL certificates that are valid beyond January 1, 2017. We plan to stop issuing SHA-1 SSL certificates before 2015/12/31, and plan to revoke all these SHA-1 SSL certificates before 2016/12/31.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe don't issue any certificate with these problems.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Government of The Netherlands, PKIoverheid (Logius)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above1. Our G1, G2, have no EKU in intermediate CAs. Our G3 and EV root do have EKUs in the issuing CAs with id-kp-serverAuth.
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~The root and domain CAs of Logius PKIoverheid will support IPv6 for CRL and OCSP servers this year. The issuing CAs of some of our CSPs will support IPv6, but some have indicated they will not. Logius PKIoverheid currently does not require CSPs to use IPv6.

Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We informed our customers about this change and we started revoking and renewing their certs. There are 76 SSL certificates left that we didn't revoke yet. Our plan is to finish all of it by December 2015.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe have ~300 end-user certificates with the problems above but, they all expires before Jan.1.2017. We have established a new root and chain however the new root is not in your trusted list yet. When you accepted this new root, there won't be these problems.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We can't give a specific date yet but we are working on IPv6.

HARICA

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have issued 24 SHA1 SSL certificates that are valid beyond January 1, 2017. We have already contacted the owners to replace them with new SHA256 and plan to revoke them by 31/8/2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We currently have IPv6 connectivity but do not provide PKI services over IPv6. We plan to run implementation tests for IPv6 in 2016.

IdenTrust Services, LLC

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~IdenTrust stopped selling SHA-1 certificates to the public in December 2014. We continue working with existing customers helping them replace active SHA-1 certificates for SHA-256 versions. On a very limited basis, and only to support legacy platforms, IdenTrust may provide existing customers a SHA1 certificate which will expire no later than December 31, 2016. IdenTrust has issued 182 certificates that are valid beyond January 1, 2017. IdenTrust will have all certificates replaced and revoked by December 31, 2016
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix1. Intermediate certificate has an EKU and will be used for SSL, but does not have the id-kp-serverAuth EKU.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix8. RSA SSL/TLS end-entity certificates that have a KeyUsage extension does not include keyEncipherment in the KeyUsage extension.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveAction 4.1: Identrust has only one intermediate CA under this condition, which expires on June 5, 2016. This CA does not have any active end-entity certificate at this point and is used to issue CRLs only. Action 4.2: IdenTrust issues SMIME certificates to a legacy customer that contain the value CA=false in the basicConstraints extension. IdenTrust is in the process of migrating this customer to a newer implementation by the December 31, 2015. Currently there are 3,100 certificates active. Based on current migration plan, the last certificate will expire on December 31, 2017. Action 4.5: For majority of certificates issued, IdenTrust offers real time validation and accomplishes this by not populating the "expiration date" in the OCSP responses. This configuration is consistent with RFC 6960 in Section 4.2.2.1 “If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time." Action 4.8: For a VPN use case, IdenTrust has issued certificates that do not contain the KeyEncipherment though they have the Extended Key Usage server authentication use. Three certificates have been issued and the latest will expire on December 18, 2016 Action 4.10: IdenTrust issues SMIME certificates to legacy customers that include the EmailAddress field in the Subject Distinguished Name. The EmailAddress is encoded as IA5String. IdenTrust is in the process of migrating these customers to a newer implementation by December 31, 2015. Currently there are ~4,500 certificates active. Based on current migration plan, the last certificate will expire on December 31, 2017.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Izenpe S.A.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Microsec Ltd.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have issued <2> SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by <December 31, 2016>
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveItem 2 Presently we have 227 pcs SHA1 based certificates and 222 pcs SHA256 based certificates with this problem. The last certificate was issued at 2015-05-29 15:54:35 The last certificate will expire at 2017-05-‎28 15:54:35 We will not issue more certificates with this problem.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

NetLock Ltd.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~C) We are currently doing our audit spring. All of our audits are between marc and july and the yearly Webtrust audit will be held on 2015 july.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~at the end of 2017

Nets DanID

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementE) We do not have a current public-facing Baseline Requirements audit statement for this root certificate, because [explain reason below -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed].
Action
Response
ACTION #2: ~ Text Input ~Root Removed in Firefox 32.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

OISTE

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~https://d3o11irj9639cz.cloudfront.net/uploads/images/WISeKey-WebTrust-Audit-Report-2015.pdf
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by end of September 2015, depending on the acceptance of our new Root. We have issued a number SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by as soon as our new Root is embedded and we are able to convert customers to SHA-2.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix3. The pathLenConstraint field is included when the cA boolean is false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above2. All of our end entity certificates have this issue. They all have cA:false explicity enceded 3. All of our end entity certificates have this issue. e.g. 2.5.29.19: Flags = 1(Critical), Length = 2 Basic Constraints Subject Type=End Entity Path Length Constraint=None
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

PROCERT

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~The Mozilla Foundation already has our last audit
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6A) We support IPv6 for all our CRL and OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~

QuoVadis

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~Direct link to most recent WebTrust BR is https://cert.webtrust.org/ViewSeal?id=1853
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing SHA-1 SSL by January 1, 2016. We have 986 SHA-1 SSL certificates that are valid beyond January 1, 2017. We presently have no plans to revoke these certificates (as the majority expire in January 2017).
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan support for IPv6 when there is adequate ISP adoption in our region.

RSA the Security Division of EMC

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementE) We do not have a current public-facing Baseline Requirements audit statement for this root certificate, because [explain reason below -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed].
Action
Response
ACTION #2: ~ Text Input ~The "RSA Security 2048 V3" is an off-line CA that does not issue SSL/TLS certificates. It only issues intermediate CA certificates. The "RSA Security 2048 V3" has a WebTrust Audit at: https://cert.webtrust.org/ViewSeal?id=1836
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~The "RSA Security 2048 V3" does not issue SSL certificates. The intermediate RSA/EMC CA do have SHA-1 SSL certificates issused but are inthe process rectifying the situation. None of the issued SHA-1 SSL certificates are valid beyond January, 2017. More to come on this Action.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveThese issues do not apply to the "RSA Security 2048 V3". It is not beleived these issues apply to certificates issued by intermediates RSA/EMC CAs. Further investigation is required to validate this. To follow.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~There are no current plans to support IPv6 however this may change as the administration of the "RSA Security 2048 V3" transitions to a new group. To follow.

SECOM Trust Systems CO., LTD.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~https://cert.webtrust.org/SealFile?seal=1717&file=pdf
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~stop issuing by 12/31/2015. revoked by 12/31/2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix5. OCSP responses for subscriber certificates have an expiration time greater than ten days.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above#2 343 certs. #5 1 cert. #9 2756 certs.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

SG Trust Services

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementE) We do not have a current public-facing Baseline Requirements audit statement for this root certificate, because [explain reason below -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed].
Action
Response
ACTION #2: ~ Text Input ~SG TRUST will stop the participation in the Mozilla 's CA certificate program. We have revoked the intermediate certificate CA. We are no longer issuing any certificate (SHA-2 SSL) and we don't have any currently-valid certificate yet.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe don't have any currently-valid certificate yet. SG TRUST stop the issuing of SSL certificate.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~SG TRUST stop the issuing of SSL certificate.

SK ID Solutions AS

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix4. OCSP responders include a responseExtensions consisting of an empty SEQUENCE.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above#1 No, intermediate CA does not have EKU extension. #2 No, Basic Constraints is non-CRITICAL in end entity certificates, no explicit values set. #3 No. #4 This is true when OCSP request doesn't contain nonce extension. When OCSP nonce extension is used in request, then responseExtensions is also containing the nonce extension. #5 We don't use nextUpdate field, because our OCSP is a real time OCSP responder. #6 No. All active certs like this: 145:d=3 hl=2 l= 13 prim: UTCTIME :120510140425Z #7 No. In OCSP responses we don't use nextUpdate field and therefore OCSP response signing certificates does not expire before OCSP responses expires. #8 No, all active EKU "TLS Web Server Authentication" certs have a KU "Key Encipherment". #9 Yes. Most older certificates, not new ones. #10 Yes, majority have IA5STRING emailAddress in Subject set. New certificates do not have emailAddress anymore. All other Subject fields are PrintableString or UTF8String. #11 No, name constraints extension not used.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We have a plan to support IPv6 for the end of 2017.

Sectigo

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by January 1, 2016. We have issued 169245 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked and that we have no firm plans to revoke.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix1. Intermediate certificate has an EKU and will be used for SSL, but does not have the id-kp-serverAuth EKU.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above#1 Number of currently-valid certificates: 12 Latest notBefore: January 1, 2007 Latest notAfter: May 30, 2020 https://bugzilla.mozilla.org/show_bug.cgi?id=737802 explains the situation. As comment 9 says "COMODO need this behaviour until June 2020". #9 Number of currently-valid certificates: 139 Latest notBefore: June 19, 2008 Latest notAfter: July 29, 2018 #10 Number of currently-valid certificates: 304291 Latest notBefore: June 6, 2015 Latest notAfter: March 19, 2022 For historical reasons we have always used TeletexString for common names that contain the wildcard (*) character and for some other subject attributes under certain conditions. Starting from June 7, 2015, we will use UTF8String instead for such certificates.
Action
Response
ACTION #5: Support for IPv6A) We support IPv6 for all our CRL and OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~

SecureTrust

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~On 10/29/14 Trustwave stopped issuing SHA-1 certificates to be used in public browser environments that would expire after 1/1/2017. Before that policy, 3757 certificates were issued that expire after 1/1/2017. We have also issued 6049 SHA-1 certificates for non-browser environments that expire after 1/1/2017. We will stop issuing any SHA-1 certificates that chain up to roots in Mozilla’s program on or before 12/31/2015 and are considering plans to revoke those that have not expired after 1/1/2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveTrustwave stopped this practice on 10/26/2012. We have 1239 remaining still valid with the last still one expiring on 1/18/2016.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~December 31, 2015

Start Commercial (StartCom) Ltd.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We will provide the option for SHA1 hashed certificates in particular for devices that can't handle SHA2 (being it client or server side). It's fully understood that such certificates might not work with common browsers and software in the future, but keep it currently as a backward option. Overall certificates are currently issued already with SHA2 hashes by default.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveAll - if we stop including it that would be in exactly three years. Though I'm not sure what harm can cause by including a default value, I assume that a browser should be lenient with that.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~Depends on local ISP capabilities upon we depend. There are some legacy URLs that can't support IPv6

SwissSign AG

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~technicaly implemented, but not used

Swisscom (Switzerland) Ltd

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have issued 603 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by no later than 31.12.2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix9. dNSName/iPAddress is only in the subject CN, and not in the subjectAltName.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveThere are several hundreds of certificates with this problem. We are still issuing such kind of certificates and the last one: Valid From 01. June 2015, 11:22:23 UTC (GMT) Valid Until 31. May 2018, 11:22:23 UTC (GMT)
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Symantec / GeoTrust

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~We will publish the latest Audit attestation by July 15, 2015.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe issue many certs having T61STRING encoding in Subject DN.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan to support IPv6 for CRL and OCSP requests by end of March 2016.

Symantec / TC TrustCenter

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementE) We do not have a current public-facing Baseline Requirements audit statement for this root certificate, because [explain reason below -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed].
Action
Response
ACTION #2: ~ Text Input ~Not using the TC TrustCenter roots. They are being removed from NSS.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe issue many certs having T61STRING encoding in Subject DN.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan to support IPv6 for CRL and OCSP requests by end of March 2016.

Symantec / Thawte

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~We will publish the latest Audit attestation by July 15, 2015.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe issue many certs having T61STRING encoding in Subject DN.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan to support IPv6 for CRL and OCSP requests by end of March 2016.

Symantec / VeriSign

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)B) The Primary POC for our CA has changed.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~We will publish the latest Audit attestation by July 15, 2015.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe issue many certs having T61STRING encoding in Subject DN.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We plan to support IPv6 for CRL and OCSP requests by end of March 2016.

T-Systems International GmbH (Deutsche Telekom)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2015. We have issued 32262 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked. We do not plan to revoke any SHA-1 Certificates.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6D) We partly support IPv6. [provide details below]
Action
Response
ACTION #5: ~ Text Input ~At the moment, we support IPv6 for two out of our six OCSP servers but not CRL servers. We plan to support IPv6 for all OCSP- and all CRL servers at the beginning of 2016.

Taiwan-CA Inc. (TWCA)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~https://cert.webtrust.org/ViewSeal?id=1864 (WTCA) https://cert.webtrust.org/ViewSeal?id=1865 (EV) https://www.twca.com.tw/picture/file/COMODO_BaselineRequirements_2015.pdf (BR)
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~For our root certificates directly included in Mozilla's program: A) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017. However, SHA-1 SSL certificates were issued by our old SHA1 SSL CA that chains up to Comodo's "AddTrust External CA Root". Some of them expire after January 1, 2017. We plan to revoke those SHA-1 SSL certificates in 2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix1. Intermediate certificate has an EKU and will be used for SSL, but does not have the id-kp-serverAuth EKU.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above3 CN = TWCA Secure SSL Certification Authority OU = Secure SSL Sub-CA O = TAIWAN-CA C = TW 2014/10/28 15:27:56 ~ 2024/10/28 23:59:59 CN = TWCA Global EVSSL Certification Authority OU = Global EVSSL Sub-CA O = TAIWAN-CA C = TW 2012/8/23 09:53:30 GMT ~ 2030/8/23 15:59:59 GMT CN = TWCA InfoSec User CA OU = User CA O = TAIWAN-CA Inc. C = TW 2012/6/8 09:51:19 ~ 2022/6/8 23:59:59
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Telia Company (formerly TeliaSonera)

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to completely stop issuing SHA1 SSL certificates Dec 31, 2016. We have issued multiple SHA1 certificates that are valid beyond January 1, 2017 that we have not yet revoked. We plan to revoke them before Dec 31, 2016. Exact count is under investigation.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveThis answer is a strong assumption based on known CA configurations. No full certificate scan was done.
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We will probably support IPv6 in three years.

Trend Micro

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2016. We have issued zero (0) SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [Not Applicable - no SHA-1 certs issued beyond 1-1-2017]. Note: we provide a warning to all customers today that SHA-1 certs have been deprecated, and recommend SHA-256 certs instead.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so by the end of 2015 or the first half of 2016.

Trustis

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~we have answered d) as no single entry fits our situation. We have emailed Kathleen Wilson with details. We currently have 143 certificates that extend beyond 1 Jan 2017. We plan to revoke these by 31 Dec 2016 but see email to Kathleen referenced above.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

TurkTrust

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~Actually, we did provide our most recent Audit Statement while ago. But, through the link provided above we could not see any spreadsheet even though we hit "access the spreadsheet directly" directly. thus, we cannot confirm through the spreadsheet. Anyway here is the most recent Audit Report; https://www.tuvit.de/en/certification-overview-1265-trusted-site-etsi-certificates-1334.htm
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We have issued <200> SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by <December 31 2016>.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We do not yet support IPv6, but have a plan to do so when the network backbone of Turkey starts this support, however this date is not officially announced by the authorities yet.

Verizon Business

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementC) We plan to send Mozilla our current public-facing Baseline Requirements audit statement by [provide date below and explain reason for delay].
Action
Response
ACTION #2: ~ Text Input ~We plan to send Mozilla our current public-facing Baseline Requirements audit statement by September 30. Our audit year runs from May 1 to April 30. We are in the process of an audit for the May 1, 2014 to April 30, 2015 year. Our auditors typically complete their statement and filing each year in September. During the period of the prior audit, May 1, 2013 to April 30, 2014, we issued certificates that did not contain OCSP pointers and therefore we did not qualify to receive a Baseline Requirements WebTrust seal due to certificate content discrepancy discussed with our auditors. We replaced all our operational products with compliant designs in February 2014 and then engaged 2 CDNs to help handle the traffic load of OCSP on our environment. Mostly by the end of Q2 with some in Q3, we migrated managed customers into BR-compliant certificate content. It is our assurance and public statement that during the time since the Baseline Requirements were referenced by Mozilla policy, the validation practices stated in them have been integrated into our RA Office's operations manual, training, and periodic employee exams. We anticipate receipt of a BR seal in this year's audit. Any certificate content compliance at the beginning of the audit period is demonstrated as remedied by the end of the audit period. Our management assertions will address findings in the audit related to this transition period.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2015. We have issued 32,221 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 31, 2016. We continue to receive support requests from customers migrated to SHA256 products indicating that they need a SHA-1 alternative. As a global provider with a focus on very large enterprise, our customer profile uses servers and user agents that are outside the apache-Firefox world. Several of our customers have either built or contracted to build their own servers and clients. Some are subject to firmware-based embedment and lack of an OTA/OTW update process. Many vendors outside the B of CABF do not follow the industry change led by Mozilla and its peers. In these situations, we attempt to exert our influence to gain progress toward SHA-2 support, but we face long roadmaps and QA regression testing responses. Ultimately, we need to enable the most secure option available for a deeply entrenched solution. Operating that service with a publicly trusted certificate vetted by an audited team where the service happens to rely on SHA-1 for a bit longer is that option for the near future. We have clearly and extensively documented the SHA-2 migration to all our customers, relying not only on Mozilla's influence but Google's as well. When we are asked to support SHA-1, we ask for the details of the situation and we attempt to contact vendors involved to determine when SHA-2 will reach their products. In some cases, our customers will operate a down-version product for months or years due to it suiting their needs and due to the cost of upgrading across a massive footprint.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6E) We do not yet support IPv6, but have a plan to do so [provide implementation dates below]
Action
Response
ACTION #5: ~ Text Input ~We expect to support IPv6 by the end of the year. Our CDN destinations are ready, our DNS is not.

Visa

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 01/14/2016. We are still evaluating the impact/number of the certificates that are valid beyond January 1, 2017. We will have them revoked by 12/31/2016.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

Web.com

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by January 1, 2016. We have issued 23833 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked and that we have no firm plans to revoke.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix10. String types other than PrintableString and UTF8String in DirectoryString components of names.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above#10 Number of currently-valid certificates: 14175 Latest notBefore: June 6, 2015 Latest notAfter: February 18, 2020 For historical reasons we have always used TeletexString for common names that contain the wildcard (*) character and for some other subject attributes under certain conditions. Starting from June 7, 2015, we will use UTF8String instead for such certificates.
Action
Response
ACTION #5: Support for IPv6A) We support IPv6 for all our CRL and OCSP servers.
Action
Response
ACTION #5: ~ Text Input ~

Wells Fargo Bank N.A.

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementB) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: [provide link below].
Action
Response
ACTION #2: ~ Text Input ~https://www.wellsfargo.com/repository We are awaiting the delivery of our most recent audit results including a newly updated WebTrust seal. It should arrive in the next 3 weeks.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsD) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~We plan to cease issuance of SHA-1 certificates by 12-31-2015 so that there will be no SHA-1 certificates with a validity period ending beyond January 1, 2017.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~

WoSign CA Limited

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~BR link is correct.
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsC) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below].
Action
Response
ACTION #3: ~ Text Input ~we issued about 187 SHA1 certs that exceed Jan 1, 2017, 8 cert is OV SSL, and 179 certs is free DV SSL certificate. And we are trying to contact subscriber to replace it ASAP, the revoke deadline is June 30, 2015. We stopped to issue this kind of SHA1 cert from Feb. 12, 2015.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix12. None of the above.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected above
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~But if the IP v6 support is the BR request, then we can upgrade our system to support it.

certSIGN

 
Action
Response
ACTION #1: Confirm Primary Point of Contact (POC)A) I am the Primary POC, and the SalesForce Community Plus License should be sent to me.
Action
Response
ACTION #2: Confirm Mozilla has your recent Baseline Requirements audit statementA) Mozilla’s spreadsheet of included root certificates [https://wiki.mozilla.org/CA:IncludedCAs] has the correct link to our most recent Baseline Requirements audit statement.
Action
Response
ACTION #2: ~ Text Input ~
Action
Response
ACTION #3: Progress on eliminating use of SHA-1 signature algorithm in certsA) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017.
Action
Response
ACTION #3: ~ Text Input ~
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix2. Default values in a SEQUENCE explicitly encoded; e.g. end-entity certificates with basicConstraints extension explicitly encoded to the default value cA:false.
Action
Response
ACTION #4: Certificates with problems identified when we moved to mozilla::pkix3. The pathLenConstraint field is included when the cA boolean is false.
Action
Response
ACTION #4: ~ Text Input ~ Data about each item selected aboveWe have issued 208 SSL certificates which have the selected issues, the last certificate will expire on 3rd June 2016. We plan to have fixed this issues by the end of June 2015.
Action
Response
ACTION #5: Support for IPv6F) We do not support IPv6, and have no plans to do so.
Action
Response
ACTION #5: ~ Text Input ~