All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process ( https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for SECOM Trust Systems’ inclusion request (Bug # 1313982 <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982>, CCADB Case # 84 <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000084>) for the following two root CA certificates:
*Security Communication RootCA3 **(websites and email trust bits)* Download – https://repository.secomtrust.net/SC-Root3/SCRoot3ca.cer crt.sh - https://crt.sh/?sha256=24A55C2AB051442D0617766541239A4AD032D7C55175AA34FFDE2FBC4F5C5294 *Security Communication ECC RootCA1 **(websites and email trust bits)* Download – https://repository.secomtrust.net/SC-ECC-Root1/SCECCRoot1ca.cer crt.sh - https://crt.sh/?sha256=E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11 Mozilla is considering approving SECOM’s request to add these two roots as trust anchors with the websites and email trust bits enabled. SECOM is not seeking enablement for Extended Validation (EV) under the CA/Browser Forum’s EV Guidelines. *Repository:* The SECOM document repository is located here: https://repository.secomtrust.net. *Relevant Policy and Practices Documents are as follows: * Security Communication RootCA Subordinate CA Certificate Policy, v. 5.19, dated June 10, 2022, https://repository.secomtrust.net/SC-Root/SCRootCP1-EN.pdf; Security Communication RootCA Certification Practice Statement, v. 5.16, dated June 10, 2022, https://repository.secomtrust.net/SC-Root/SCRootCPS-EN.pdf; SECOM Passport for Web SR Certification Authority Certificate Policy, v. 3.0, dated June 10, 2022, https://repo1.secomtrust.net/spcpp/pfw/pfwsr3ca/PfWSRCA-CP-EN.pdf; and SECOM Digital Certification Infrastructure Certification Practice Statement, v. 2.16, dated June 10, 2022, https://repo1.secomtrust.net/spcpp/cps/SECOM-CPS-EN.pdf. *Self-Assessments and Mozilla CPS Reviews* are located within Bug # 1313982 <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982>: CA Compliance Self Assessment_20220704.xlsx <https://bugzilla.mozilla.org/attachment.cgi?id=9283989> Comment #41 <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982#c41> – Mozilla’s CP/CPS Review CP-CPS_Review-20220704-final.xlsx <https://bugzilla.mozilla.org/attachment.cgi?id=9283988> *Audits:* Annual audits have been performed by KPMG in accordance with the Webtrust Principles and Criteria for Certification Authorities. The most recent audits available were published in August 2021 for the period ending June 6, 2021. See https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=ee0fc63f-baa8-47c5-8353-8065ac4afaa5 (Standard Webtrust) https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=2fc14557-e88f-47d7-85ed-33a35a3ce655 (WebTrust Baseline Requirements and Network and Certificate System Security Requirements) *Incidents* Here are the Bugzilla incidents involving SECOM with an "open" status during this past year: 1695786 <https://bugzilla.mozilla.org/show_bug.cgi?id=1695786> Unqualified domain name of "sgnwffw001" in SAN extension 1695938 <https://bugzilla.mozilla.org/show_bug.cgi?id=1695938> FUJIFILM intermediate not listed in audit statement 1705480 <https://bugzilla.mozilla.org/show_bug.cgi?id=1705480> CP/CPS does not clearly specify domain validation methods 1707229 <https://bugzilla.mozilla.org/show_bug.cgi?id=1707229> Delayed Revocation of non-technically constrained FUJIFILM Certificates 1717044 <https://bugzilla.mozilla.org/show_bug.cgi?id=1717044> CA Certificates Missing from Audit Reports 1735998 <https://bugzilla.mozilla.org/show_bug.cgi?id=1735998> Root CRLs exceed maximum validity period by 1 second 1769222 <https://bugzilla.mozilla.org/show_bug.cgi?id=1769222> Failed an annual update of Cybertrust Japan (CTJ) CPS I have no further questions or concerns about SECOM’s inclusion request; however, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of SECOM must promptly respond directly in the discussion thread to all questions that are posted. This email begins a 3-week period for public discussion and comment, which I’m scheduling to close on or about July 27, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). Sincerely yours, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZN%2BRT1Hz3tbwd9Kqw0YkbpAa5dKL04BgF%2BCPezMpvqUg%40mail.gmail.com.
