All, This email commences a six-week public discussion of D-Trust’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on October 24, 2024.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted. CCADB Case Number: 00001362 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001362> and 00001363 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001363> Organization Background Information (listed in the CCADB): - CA Owner Name: D-Trust - Website: https://www.d-trust.net/en - Address: Kommandantenstr. 15, Berlin, 10969, Germany - Problem Reporting Mechanisms: https://www.d-trust.net/en/support/reporting-certificate-problem - Organization Type: Government Agency - Repository URL: https://www.bundesdruckerei.de/en/Repository Certificates Requesting Inclusion: 1. D-TRUST EV Root CA 2 2023: - Certificate download links: CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_2_2023.crt> / crt.sh <https://crt.sh/?q=8E8221B2E7D4007836A1672F0DCC299C33BC07D316F132FA1A206D587150F1CE> - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://certdemo-ev-valid-rsa.tls.d-trust.net/ - Revoked: https://certdemo-ev-revoked-rsa.tls.d-trust.net/ - Expired: https://certdemo-ev-expired-rsa.tls.d-trust.net/ - Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 EV 2009 <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> in some root stores, with the replacement taking place approximately on September 1, 2026. 2. D-TRUST BR Root CA 2 2023: - Certificate download links: CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_2_2023.crt> / crt.sh <https://crt.sh/?q=0552E6F83FDF65E8FA9670E666DF28A4E21340B510CBE52566F97C4FB94B2BD1> - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://certdemo-dv-valid-rsa.tls.d-trust.net/ - Revoked: https://certdemo-dv-revoked-rsa.tls.d-trust.net/ - Expired: https://certdemo-dv-expired-rsa.tls.d-trust.net/ - Replacement notice: D-Trust has communicated intent to use this applicant root to replace D-TRUST Root Class 3 CA 2 2009 <https://crt.sh/?q=49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1> in some root stores, with the replacement taking place approximately on September 1, 2026. Existing Publicly Trusted Root CAs from D-Trust: 1. D-TRUST BR Root CA 1 2020: - Certificate download links: (CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt> / crt.sh <https://crt.sh/?q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: here <https://search.censys.io/search?resource=certificates&q=E59AAA816009C22BFF5B25BAD37DF306F049797C1F81D85AB089E657BD8F0044%09+and+labels%3Dever-trusted> (Censys login required) - Included in: Google Chrome, Mozilla 2. D-Trust SBR Root CA 1 2022: - Certificate download links: (CA Repository <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_1_2022.crt> / crt.sh <https://crt.sh/?q=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2> ) - Use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; - Client Authentication 1.3.6.1.5.5.7.3.2; - Document Signing AATL 1.2.840.113583.1.1.5; - Document Signing MS 1.3.6.1.4.1.311.10.3.12 - Certificate corpus: N/A - Included in: Mozilla 3. D-Trust SBR Root CA 2 2022: - Certificate download links: (CA Repository <http://www.d-trust.net/cgi-bin/D-Trust_SBR_Root_CA_2_2022.crt> / crt.sh <https://crt.sh/?q=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC> ) - Use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; - Client Authentication 1.3.6.1.5.5.7.3.2; - Document Signing AATL 1.2.840.113583.1.1.5; - Document Signing MS 1.3.6.1.4.1.311.10.3.12 - Certificate corpus: N/A - Included in: Mozilla 4. D-TRUST EV Root CA 1 2020: - Certificate download links: (CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt> / crt.sh <https://crt.sh/?q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: here <https://search.censys.io/search?resource=certificates&q=08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB+and+labels%3Dever-trusted> (Censys login required) - Included in: Google Chrome, Mozilla 5. D-TRUST Root CA 3 2013: - Certificate download links: (CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_3_2013.crt> / crt.sh <https://crt.sh/?q=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457> ) - Use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; - Client Authentication 1.3.6.1.5.5.7.3.2; - Document Signing AATL 1.2.840.113583.1.1.5; - Document Signing MS 1.3.6.1.4.1.311.10.3.12 - Certificate corpus: N/A - Included in: Apple, Microsoft, Mozilla 6. D-TRUST Root Class 3 CA 2 2009: - Certificate download links: (CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt> / crt.sh <https://crt.sh/?q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: here <https://search.censys.io/search?resource=certificates&q=49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1+and+labels%3Dever-trusted> (Censys login required) - Included in: Apple, Google Chrome, Microsoft, Mozilla 7. D-TRUST Root Class 3 CA 2 EV 2009: - Certificate download links: (CA Repository <https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_EV_2009.crt> / crt.sh <https://crt.sh/?q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: here <https://search.censys.io/search?resource=certificates&q=EEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881+and+labels%3Dever-trusted> (Censys login required) - Included in: Apple, Google Chrome, Microsoft, Mozilla Relevant Policy and Practices Documentation: - CP: http://www.d-trust.net/internet/files/D-TRUST_CP.pdf - CPS: http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf - TSPS: https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf Most Recent Self-Assessment: - https://bugzilla.mozilla.org/attachment.cgi?id=9361619 (completed 10/30/2023) Audit Statements: - Auditor: TÜViT - TÜV Informationstechnik GmbH - Audit Criteria: ETSI - Recent Audit Statement(s): - Key Generation <https://www.tuev-nord.de/fileadmin/Content/TUEV_NORD_DE/zertifizierung/Zertifikate/en/AA2023062801_D-Trust_Root_Ceremony_2023-05_PIT_V2.0.pdf> (May 9, 2023) - Standard Audit <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_Standard_Audit_V1.0.pdf> (Period: October 8, 2022 to October 7, 2023) - TLS BR Audit <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-BR_Audit_V1.0.pdf> (Period: October 8, 2022 to October 7, 2023) - TLS EVG Audit <https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2023121501_D-Trust-CAs_TLS-EV_Audit_V1.0.pdf> (Period: October 8, 2022 to October 7, 2023) Incident Summary (Bugzilla incidents from previous 24 months): - 1682270 <https://bugzilla.mozilla.org/show_bug.cgi?id=1682270>: D-TRUST: Private Key Disclosed by Customer as Part of CSR - 1691117 <https://bugzilla.mozilla.org/show_bug.cgi?id=1691117>: D-TRUST: Certificate with RSA key where modulus is not divisible by 8 - 1756122 <https://bugzilla.mozilla.org/show_bug.cgi?id=1756122>: D-TRUST: Wrong key usage (Key Agreement) - 1793440 <https://bugzilla.mozilla.org/show_bug.cgi?id=1793440>: D-TRUST: CRL not DER-encoded - 1861069 <https://bugzilla.mozilla.org/show_bug.cgi?id=1861069>: D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject - 1862082 <https://bugzilla.mozilla.org/show_bug.cgi?id=1862082>: D-Trust: Delay beyond 5 days in revoking misissued certificate - 1879529 <https://bugzilla.mozilla.org/show_bug.cgi?id=1879529>: D-Trust: "unknown" OCSP response for issued certificates - 1884714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1884714>: D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field - 1891225 <https://bugzilla.mozilla.org/show_bug.cgi?id=1891225>: D-Trust: Issuance of 15 certificates with incorrect subject attribute order - 1893610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1893610>: D-Trust: Notice to affected Subscriber and person filing CPR not sent within 24 hours - 1896190 <https://bugzilla.mozilla.org/show_bug.cgi?id=1896190>: D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName - 1913310 <https://bugzilla.mozilla.org/show_bug.cgi?id=1913310>: D-Trust: CRL-Entries without required CRL Reason Code Thank you, Ryan, on behalf of the CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-BWJreka1U2n5Xk20aEcYK8cp8-yp1jTFOfTT-ef9L1g%40mail.gmail.com.
