All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process ( https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 ( https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161 <https://bugzilla.mozilla.org/show_bug.cgi?id=1664161> and CCADB Case #660 <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000660>. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). *Summary* This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043. *SHA2 Certificate Hash:* 242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C *Root Certificate Downloads:* https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem *CP/CPS:* Effective October 14, 2021, the current CPS for the Telia Root CA v2 may be downloaded here: https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4). Repository location: https://cps.trust.telia.com/ *Test Websites:* Valid - https://juolukka.cover.telia.fi:10603/ Revoked - https://juolukka.cover.telia.fi:10604/ Expired - https://juolukka.cover.telia.fi:10605/ *BR Self Assessment* (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf *Audits:* Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate <https://crt.sh/?id=989582> did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.) Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows: *Link to Bugzilla Bug* *Matter description* https://bugzilla.mozilla.org/show_bug.cgi?id=1614311 Two CA certificates not listed in 2020 WebTrust audit report https://bugzilla.mozilla.org/show_bug.cgi?id=1612332 Ambiguity on KeyUsage with ECC public key https://bugzilla.mozilla.org/show_bug.cgi?id=1551372 One Telia certificate containing a stateOrProvinceName of “Some-State” https://bugzilla.mozilla.org/show_bug.cgi?id=1649683 Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements https://bugzilla.mozilla.org/show_bug.cgi?id=1637854 AIA CA Issuer field pointing to PEM-encoded certificate https://bugzilla.mozilla.org/show_bug.cgi?id=1674536 Certificates with RSA keys where modulus is not divisible by 8 https://bugzilla.mozilla.org/show_bug.cgi?id=1565270 Subject field automatic check in CA system https://bugzilla.mozilla.org/show_bug.cgi?id=1689589 Disallowed curve (P-521) in leaf certificate Recent, open bugs/incidents are the following: *Link to Bugzilla Bug* *Matter description* https://bugzilla.mozilla.org/show_bug.cgi?id=1738207 Issued three precertificates with non-NIST EC curve https://bugzilla.mozilla.org/show_bug.cgi?id=1736020 Invalid email contact address was used for few domains https://bugzilla.mozilla.org/show_bug.cgi?id=1737808 Delayed revocation of 5 EE certificates in connection to id=1736020 I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted. Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com.
