All, On July 5, 2022, we began a three-week public discussion[1] on the request from SECOM for inclusion of its two root certificates, the Security Communication RootCA3 and the Security Communication ECC RootCA1. (Step 4 of the Mozilla Root Store CA Application Process[2]).
*Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:* We did not receive any objections or other questions or comments in opposition to SECOM’s request. I do not believe that there are any action items for SECOM to complete. *Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: * This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve SECOM’s request (Step 10). This begins a 7-day “last call” period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d3LIsEHnJkc/m/RJ223GFbAgAJ [2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview On Tue, Jul 5, 2022 at 4:26 PM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps > 4 through 9) for SECOM Trust Systems’ inclusion request (Bug # 1313982 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982>, CCADB Case # 84 > <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000084>) > for the following two root CA certificates: > > *Security Communication RootCA3 **(websites and email trust bits)* > > Download – https://repository.secomtrust.net/SC-Root3/SCRoot3ca.cer > > crt.sh - > https://crt.sh/?sha256=24A55C2AB051442D0617766541239A4AD032D7C55175AA34FFDE2FBC4F5C5294 > > *Security Communication ECC RootCA1 **(websites and email trust bits)* > > Download – > https://repository.secomtrust.net/SC-ECC-Root1/SCECCRoot1ca.cer > > crt.sh - > https://crt.sh/?sha256=E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11 > > > Mozilla is considering approving SECOM’s request to add these two roots as > trust anchors with the websites and email trust bits enabled. SECOM is not > seeking enablement for Extended Validation (EV) under the CA/Browser > Forum’s EV Guidelines. > > > *Repository:* The SECOM document repository is located here: > https://repository.secomtrust.net. > > *Relevant Policy and Practices Documents are as follows: * > > Security Communication RootCA Subordinate CA Certificate Policy, v. 5.19, > dated June 10, 2022, > > https://repository.secomtrust.net/SC-Root/SCRootCP1-EN.pdf; > > Security Communication RootCA Certification Practice Statement, v. 5.16, > dated June 10, 2022, > > https://repository.secomtrust.net/SC-Root/SCRootCPS-EN.pdf; > > SECOM Passport for Web SR Certification Authority Certificate Policy, v. > 3.0, dated June 10, 2022, > > https://repo1.secomtrust.net/spcpp/pfw/pfwsr3ca/PfWSRCA-CP-EN.pdf; and > > SECOM Digital Certification Infrastructure Certification Practice > Statement, v. 2.16, dated June 10, 2022, > > https://repo1.secomtrust.net/spcpp/cps/SECOM-CPS-EN.pdf. > > > *Self-Assessments and Mozilla CPS Reviews* are located within Bug # > 1313982 <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982>: > > CA Compliance Self Assessment_20220704.xlsx > <https://bugzilla.mozilla.org/attachment.cgi?id=9283989> > > Comment #41 <https://bugzilla.mozilla.org/show_bug.cgi?id=1313982#c41> – > Mozilla’s CP/CPS Review > > CP-CPS_Review-20220704-final.xlsx > <https://bugzilla.mozilla.org/attachment.cgi?id=9283988> > > > *Audits:* Annual audits have been performed by KPMG in accordance with > the Webtrust Principles and Criteria for Certification Authorities. The > most recent audits available were published in August 2021 for the period > ending June 6, 2021. See > > > https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=ee0fc63f-baa8-47c5-8353-8065ac4afaa5 > (Standard Webtrust) > > > https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=2fc14557-e88f-47d7-85ed-33a35a3ce655 > (WebTrust Baseline Requirements and Network and Certificate System Security > Requirements) > > > *Incidents* > > Here are the Bugzilla incidents involving SECOM with an "open" status > during this past year: > > 1695786 <https://bugzilla.mozilla.org/show_bug.cgi?id=1695786> > Unqualified domain name of "sgnwffw001" in SAN extension > > 1695938 <https://bugzilla.mozilla.org/show_bug.cgi?id=1695938> FUJIFILM > intermediate not listed in audit statement > > 1705480 <https://bugzilla.mozilla.org/show_bug.cgi?id=1705480> CP/CPS > does not clearly specify domain validation methods > > 1707229 <https://bugzilla.mozilla.org/show_bug.cgi?id=1707229> Delayed > Revocation of non-technically constrained FUJIFILM Certificates > > 1717044 <https://bugzilla.mozilla.org/show_bug.cgi?id=1717044> CA > Certificates Missing from Audit Reports > > 1735998 <https://bugzilla.mozilla.org/show_bug.cgi?id=1735998> Root CRLs > exceed maximum validity period by 1 second > > 1769222 <https://bugzilla.mozilla.org/show_bug.cgi?id=1769222> Failed an > annual update of Cybertrust Japan (CTJ) CPS > > > > I have no further questions or concerns about SECOM’s inclusion request; > however, I urge anyone with concerns or questions to raise them on this > list by replying directly in this discussion thread. Likewise, a > representative of SECOM must promptly respond directly in the discussion > thread to all questions that are posted. > > This email begins a 3-week period for public discussion and comment, which > I’m scheduling to close on or about July 27, 2022, after which, if no > concerns are raised, we will close the discussion and the request may > proceed to the approval phase (Step 10). > > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program Manager > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ0XZAsMFBM5p8X5du3qKq8f5W%3DeCN6LRyb7vhMVSVmew%40mail.gmail.com.
