Dear All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the *Certum Trusted Root CA* and the *Certum EC-384 CA*. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).
These two (2) new root CA certificates were created in 2018 and are valid until 2043. They are proposed for inclusion with the email trust bit, the websites bit, and EV enabled. The root CAs are run by an existing CA operator in the Mozilla Root Program - Asseco Data Services (“Asseco”), part of the Asseco Group. Asseco's CA inclusion application has been tracked in the CCADB and in Bugzilla– https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000519 https://bugzilla.mozilla.org/show_bug.cgi?id=1598577 Mozilla is considering approving Asseco’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). *Root Certificate Information:* *Certum Trusted Root CA * crt.sh – https://crt.sh/?q=FE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD https://crt.sh/?id=2224039330 Download - http://repository.certum.pl/ctrca.pem *Certum EC-384 CA * crt.sh – https://crt.sh/?q=6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6 https://crt.sh/?id=2224044393 Download - https://repository.certum.pl/cec384ca.pem *CP/CPS:* Current CP is Version 4.5, dated 19-Feb-2020. https://files.certum.eu/documents/repsitory/2-cert-policy/CCP-DK02-ZK01-CP-Cert-Serv-4.5.pdf Current CPS is Version 6.9, dated 21-December-2020. https://files.certum.eu/documents/repsitory/3-cert-pract-state/CCP-DK02-ZK02-CPS-Cert-6.9.pdf My review comments to CPS version 6.9 can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1598577#c14. Document repository location(s): https://www.certum.eu/en/repository/ https://www.certum.pl/pl/repozytorium/ *Asseco's BR Self-Assessment* (PDF) is located here: https://bugzilla.mozilla.org/attachment.cgi?id=9111193 *Audits:* Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from Ernst & Young sp. z o.o. (E&Y). These were issued on May 18, 2020. Asseco’s most recently ended audit period ended on February 10, 2021, and Asseco expects to receive audit letters for that audit period sometime in April 2021. *Incidents: * For your review, past incidents filed between 2018-2020, now closed, involving Asseco include the following: 1433118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1433118> Certificate with compromised private key not revoked 1435770 <https://bugzilla.mozilla.org/show_bug.cgi?id=1435770> Non-BR-Compliant Issuance - Debian Weak Keys 1451228 <https://bugzilla.mozilla.org/show_bug.cgi?id=1451228> EV certificate mis-issue 1495518 <https://bugzilla.mozilla.org/show_bug.cgi?id=1495518> Unallowed key usage for EC public key (Key Encipherment) 1511459 <https://bugzilla.mozilla.org/show_bug.cgi?id=1511459> Corrupted certificates 1518560 <https://bugzilla.mozilla.org/show_bug.cgi?id=1518560> Use of forbidden subjectPublicKeyInfo algorithm 1524195 <https://bugzilla.mozilla.org/show_bug.cgi?id=1524195> Invalid dnsNames 1550575 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550575> commonName not from subjectAltName entries 1566586 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566586> Overdue Audit Statements 2019 1567062 <https://bugzilla.mozilla.org/show_bug.cgi?id=1567062> Inconsistent disclosure of externally-operated intermediate 1598277 <https://bugzilla.mozilla.org/show_bug.cgi?id=1598277> CA certificates not listed in audit report 1600158 <https://bugzilla.mozilla.org/show_bug.cgi?id=1600158> Failure to revoke intermediate certificates within the BR time period 1600301 <https://bugzilla.mozilla.org/show_bug.cgi?id=1600301> EV Certificates issued with wrong Business Category 1611458 <https://bugzilla.mozilla.org/show_bug.cgi?id=1611458> Invalid value in SAN dNSName 1639502 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639502> Incorrect OCSP response encoding 1667684 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667684> Failure to provide a preliminary report within 24 hours. 1667986 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667986> Invalid stateOrProvinceName field 1668523 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668523> Failure to revoke within 5 days *Test Results**:* These CAs, and their associated test certificates, were checked for revocation processing, misissuances, and EV compatibility, and they passed those tests. Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Wednesday, 14-April-2021. A representative of Asseco must promptly respond directly in the discussion thread to all questions that are posted. Sincerely yours, Ben Wilson Mozilla Root Program _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
