Greetings, This message begins a *three-week public discussion* regarding a request by *SECOM Trust Systems CO., LTD.* for approval of *JPRS* as an *externally-operated, non-technically-constrained subordinate CA* under section 8.4 of Mozilla’s Root Store Policy [1] <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas> as well as guidance found in the Mozilla CA wiki [2] <https://wiki.mozilla.org/CA/External_Sub_CAs>.
*Overview of the Process* When a subordinate CA is operated by a third party and is not technically constrained, Mozilla requires a formal approval process before certificate issuance may begin. This process is intended to ensure that externally-operated subordinate CAs are held to the same level of accountability as approved CA operators, while providing a process with a narrower scope than one for full root inclusion. Unlike root inclusions, this approval process is not performed on a per-certificate basis but evaluates the qualifications of the subordinate CA operator to issue a specific type of certificate (e.g., TLS, S/MIME, or both), provided that the subordinate CA continues to comply with applicable policies, practices, and audit scope. Approval under this process does not diminish the responsibility of the root CA operator. As stated in MRSP §8.4, the root CA operator remains fully and ultimately accountable for all certificates issued under its root, including those issued by externally-operated subordinate CAs. *Summary of the Request* - *Root CA Operator:* SECOM Trust Systems CO., LTD. - *Subordinate CA Operator:* JPRS (Japan Registry Services Co., Ltd.) - *Type of CA:* Externally-operated subordinate CA - *Certificate Types:* TLS server authentication - *Purpose:* Approval of JPRS, as an entity, to operate as an externally-operated subordinate CA under SECOM’s publicly trusted root, for the issuance of TLS certificates, subject to Mozilla policy. - *Approval Request in Bugzilla:* Bug # 1941966 [3] <https://bugzilla.mozilla.org/show_bug.cgi?id=1941966> *Documentation and Review* The root CA operator (SECOM) has provided the required documentation for this request, both in Bugzilla and the CCADB, beginning with Comment 3 [4] <https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c3> in the bug, including: *1. Identity* - Japan Registry Services Co., Ltd (*JPRS has operated as a subordinate CA of SECOM for at least 10 years*) *2. Website URL* - https://jprs.jp/ *3. CA Hierarchy* *SECOM’s Security Communication RootCA2 * JPRS Domain Validation Authority - G4 JPRS Organization Validation Authority - G4 *SECOM’s Security Communication ECC RootCA1* JPRS DV ECC CA 2024 G1 JPRS OV ECC CA 2024 G1 *SECOM TLS RSA Root CA 2024* JPRS DV RSA CA 2024 G1 JPRS OV RSA CA 2024 G1 *4. Certificate Profiles* [5] <https://bugzilla.mozilla.org/attachment.cgi?id=9459795> *5. CP/CPS* (v. 2.10 dated Nov. 28, 2025) JPRS-CPCPS-en.pdf [6] <https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.pdf> JPRS-CPCPS-en.md [7] <https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.md> *6. Audit Information* Standard Webtrust Audit [8] <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=941b8d1b-4c26-40c2-8dab-17159e9f1ac4> Baseline Requirements Webtrust Audit [9] <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=cb5de8d1-f9db-4a6e-a461-9b14361d2e26> Network Security Webtrust Audit [10] <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=517f0f07-0d89-4114-8970-745cd0ea1688> *7. JPRS’s Self Assessment *(v.1.5) dated Aug. 22, 2025 [11] <https://bugzilla.mozilla.org/attachment.cgi?id=9509482> *8. Value Justification* [12] <https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c6> *9. Additional Information from the CCADB* ACME Directory URLc-n [13] <https://acme.amecert.jprs.jp/DV/getDirectory> DV Automation Test Certificate Website [14] <https://dvrsa2024v.secomtrust-verification.com> SECOM has reviewed and verified the completeness and accuracy of the required documentation. A Mozilla representative has performed an independent review of the subordinate CA’s policy and audit materials. *Public Discussion* This public discussion will remain open for three weeks, concluding on February 23, 2026. Community members are invited to review the documentation and provide comments, questions, or concerns related to: - Compliance with Mozilla Root Store Policy - Audit coverage and scope - Domain validation practices - Risk considerations associated with externally-operated subordinate CAs - Any other matters of concern SECOM and JPRS are expected to monitor this discussion and respond to questions as appropriate. At the conclusion of the discussion period, Mozilla will: - Summarize the discussion and feedback - Record an approval or rejection decision in the discussion thread and in Bugzilla - Update the CCADB accordingly If approved, JPRS may operate as an externally-operated subordinate CA under SECOM’s root for the approved certificate type (TLS), subject to continued compliance with Mozilla policy. Thank you for your participation in this review. Ben Wilson Mozilla Root Program *References:* [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas [2] https://wiki.mozilla.org/CA/External_Sub_CAs [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c3 [5] https://bugzilla.mozilla.org/attachment.cgi?id=9459795 [6] https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.pdf [7] https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.md [8] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=941b8d1b-4c26-40c2-8dab-17159e9f1ac4 [9] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=cb5de8d1-f9db-4a6e-a461-9b14361d2e26 [10] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=517f0f07-0d89-4114-8970-745cd0ea1688 [11] https://bugzilla.mozilla.org/attachment.cgi?id=9509482 [12] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c6 [13] https://acme.amecert.jprs.jp/DV/getDirectory [14] https://dvrsa2024v.secomtrust-verification.com -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWSCEvkU9_LjPb-vnLoyznszPVGGxqB7awvjhm-xbACA%40mail.gmail.com.
