All, This email commences a six-week public discussion of SwissSign’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store’s program. This discussion period is scheduled to close on June 16, 2025.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of SwissSign must promptly respond directly in the discussion thread to all questions that are posted. CCADB Case Number: 00001460 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001460> Organization Background Information (listed in CCADB): - CA Owner Name: SwissSign AG - Website: https://www.swisssign.com/ - Address: Sägereistrasse 25, Glattbrugg ZH 8152, Switzerland - Problem Reporting Mechanisms: [email protected]; [email protected] - Organization Type: Public Corporation - Repository URL: https://www.swisssign.com/en/support/repository.html Certificates Requesting Inclusion: 1. SwissSign RSA SMIME Root CA 2022 - 1: - Certificate download links: CA Repository <https://www.swisssign.com/dam/jcr:049189f2-d0e7-4164-a9a4-c0ce4a3eaf77/SwissSign_RSA_SMIME_Root_CA_2022_-_1.pem> / crt.sh <https://crt.sh/?d=7044154542> - SHA-256 Certificate Fingerprint: 9A12C392BFE57891A0C545309D4D9FD567E480CB613D6342278B195C79A7931F - Intended use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Reference Certificates: https://repository.swisssign.com/reference_certs/ 2. SwissSign RSA TLS Root CA 2022 - 1: - Certificate download links: CA Repository <https://www.swisssign.com/dam/jcr:d7bff83f-43e3-4adc-84b2-0b694e84e4d5/SwissSign_RSA_TLS_Root_CA_2022_-_1.pem> / crt.sh <https://crt.sh/?d=7044185765> - SHA-256 Certificate Fingerprint: 193144F431E0FDDB740717D4DE926A571133884B4360D30E272913CBE660CE41 - Intended use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Test websites: - Valid: https://ev-rsa-tls-2022-1-valid-cert-demo.swisssign.com - Revoked: https://ev-rsa-tls-2022-1-revoked-cert-demo.swisssign.com - Expired: https://ev-rsa-tls-2022-1-expired-cert-demo.swisssign.com - DV Automation: https://dv-rsa-tls-2022-valid-cert-demo.swisssign.com - OV Automation: https://ov-rsa-tls-2022-valid-cert-demo.swisssign.com - EV Automation: https://ev-rsa-tls-2022-valid-cert-demo.swisssign.com Existing Publicly Trusted Root CAs from SwissSign: 1. SwissSign Gold CA - G2: - Certificate download links: (CA Repository <https://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE.pem> / crt.sh <https://crt.sh/?d=1221>) - SHA-256 Certificate Fingerprint: 62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95 - Trust Bits/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: (legacy Censys Search <https://search.censys.io/search?resource=certificates&q=62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95%09+and+labels%3Dever-trusted> login required) (new Censys Platform <https://platform.censys.io/search?q=%28cert.labels+%3D+%22ever-trusted%22%29+and+cert.parsed.issuer.organization+%3D+%22TrustAsia+Technologies%2C+Inc.%22> login required and free accounts may be limited) - Included in: Apple, Google, Microsoft, Mozilla 2. SwissSign Silver CA - G2: - Certificate download links: (CA Repository <https://swisssign.net/cgi-bin/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA8658.pem> / crt.sh <https://crt.sh/?d=2953>) - SHA-256 Certificate Fingerprint: BE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5 - Trust Bits/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Certificate corpus: (legacy Censys Search <https://search.censys.io/search?resource=certificates&q=BE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5%09+and+labels%3Dever-trusted> login required) (new Censys Platform <https://platform.censys.io/search?q=%28cert.labels+%3D+%22ever-trusted%22%29+and+cert.parsed.issuer.organization+%3D+%22TrustAsia+Technologies%2C+Inc.%22> login required and free accounts may be limited) - Included in: Apple, Microsoft Relevant Policy and Practices Documentation: - TSPS: https://repository.swisssign.com/SwissSign_TSPS.pdf - TLS CPS: https://repository.swisssign.com/SwissSign_CPS_TLS.pdf - S/MIME CPS: https://repository.swisssign.com/SwissSign_CPS_SMIME.pdf - Other Documents: https://www.swisssign.com/en/support/repository.html Most Recent Self-Assessment: - https://repository.swisssign.com/CCADB_Self_Assessment.xlsx Audit Statements: - Auditor: TÜV Austria - Audit Criteria: ETSI - Recent Audit Statement(s): - TLS Root Key Generation <https://it-tuv.com/wp-content/uploads/2022/07/AA2022070101_SwissSign_PIT_Root_TLS_2022_Audit_Attestation.pdf> (June 28, 2022) - S/MIME Root Key Generation <https://it-tuv.com/wp-content/uploads/2022/07/AA2022070102_SwissSign_PIT_Root_SMIME_2022_Audit_Attestation.pdf> (June 28, 2022) - Standard Audit <https://it-tuv.com/wp-content/uploads/2024/09/AA2024090401_SwissSign_Standard_Audit_V1.0.pdf> (Period: June 17, 2023, to June 14, 2024) - TLS BR Audit <https://it-tuv.com/en/wp-content/uploads/sites/10/2024/09/AA2024090402_SwissSign_TLS-BR_Audit_V2.0.pdf> (Period: June 17, 2023, to June 14, 2024) - TLS EVG Audit <https://it-tuv.com/wp-content/uploads/2024/09/AA2024090403_SwissSign_TLS-EV_Audit_V1.0.pdf> (Period: June 17, 2023, to June 14, 2024) - S/MIME BR Audit <https://it-tuv.com/en/wp-content/uploads/sites/10/2024/09/AA2024090404_SwissSign_SMIME-BR_Audit_V2.0.pdf> (Period: June 17, 2023, to June 14, 2024) Incident Summary (Bugzilla incidents from previous 24 months): Audit Finding - 1921424 <https://bugzilla.mozilla.org/show_bug.cgi?id=1921424> Findings in 2024 Audit <https://bugzilla.mozilla.org/show_bug.cgi?id=1921424> TLS Misissuance - 1894054 <https://bugzilla.mozilla.org/show_bug.cgi?id=1894054> MPKI step-up process sets wrong JoI Locality <https://bugzilla.mozilla.org/show_bug.cgi?id=1894054> - 1876771 <https://bugzilla.mozilla.org/show_bug.cgi?id=1876771> modified fields were not saved into certificates and resulted in miss-issuance <https://bugzilla.mozilla.org/show_bug.cgi?id=1876771> - 1874196 <https://bugzilla.mozilla.org/show_bug.cgi?id=1874196> difference in upper and lower case between CN field and SAN <https://bugzilla.mozilla.org/show_bug.cgi?id=1874196> - 1916489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1916489> LDAP URL still in CRL distribution point (CDP) <https://bugzilla.mozilla.org/show_bug.cgi?id=1916489> - 1866091 <https://bugzilla.mozilla.org/show_bug.cgi?id=1866091> EV JurisdictionStateOrProvinceName - one certificate not selected for revocation <https://bugzilla.mozilla.org/show_bug.cgi?id=1866091> - 1860750 <https://bugzilla.mozilla.org/show_bug.cgi?id=1860750> EV code in JurisdiktionStateOrProvinceName <https://bugzilla.mozilla.org/show_bug.cgi?id=1860750> S/MIME Misissuance - 1914023 <https://bugzilla.mozilla.org/show_bug.cgi?id=1914023> S/MIME LCP not-permitted key usage <https://bugzilla.mozilla.org/show_bug.cgi?id=1914023> - 1914020 <https://bugzilla.mozilla.org/show_bug.cgi?id=1914020> S/MIME NCP non ASCII symbols in email and SAN field wrong coding <https://bugzilla.mozilla.org/show_bug.cgi?id=1914020> - 1851164 <https://bugzilla.mozilla.org/show_bug.cgi?id=1851164> S/MIME wrong key Usage <https://bugzilla.mozilla.org/show_bug.cgi?id=1851164> - 1848854 <https://bugzilla.mozilla.org/show_bug.cgi?id=1848854> S/MIME LCP: CN with values other than email address <https://bugzilla.mozilla.org/show_bug.cgi?id=1848854> - 1929189 <https://bugzilla.mozilla.org/show_bug.cgi?id=1929189> S/MIME certificates deviate from CPR <https://bugzilla.mozilla.org/show_bug.cgi?id=1929189> Revocation Delay - 1861682 <https://bugzilla.mozilla.org/show_bug.cgi?id=1861682> EV delayed revocation <https://bugzilla.mozilla.org/show_bug.cgi?id=1861682> - 1849364 <https://bugzilla.mozilla.org/show_bug.cgi?id=1849364> Missed revocation and opening Bugzilla <https://bugzilla.mozilla.org/show_bug.cgi?id=1849364> Thank you, Ben, on behalf of the CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaaE52R9YPAgHzn2A-sU%3DeDp1ivRQshp4CV2NFbBsHbpAA%40mail.gmail.com.
