Public Discussion of Sectigo CA Inclusion Request
Chris Clements
All,
This email commences a six-week public discussion of Sectigo’s request to include the following four (4) certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on June 5, 2023.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00001215
Organization Background Information (listed in CCADB):
CA Owner Name: Sectigo
Website: https://sectigo.com/
Address: 5 Becker Farm Road, Roseland, New Jersey, United States of America, 07068
Problem Reporting Mechanisms:
To revoke one or more certificates issued by Sectigo for which you (i) are the Subscriber or (ii) control the domain or (iii) have in your possession the private key, you may use our automated Revocation Portal here: https://secure.sectigo.com/products/RevocationPortal
To programmatically revoke one or more certificates issued by Sectigo for which you have in your possession the private key, you may use the ACME revokeCert method at this endpoint:
ACME Directory: https://acme.sectigo.com/v2/keyCompromise
revokeCert API: https://acme.sectigo.com/v2/keyCompromise/revokeCert
To report any other abuse, fraudulent, or malicious use of Certificates issued by Sectigo, please send email to:
For Code Signing Certificates: signedmal...@sectigo.com
For Other Certificates (SSL/TLS, S/MIME, etc): ssla...@sectigo.com
Organization Type: Private Corporation
Repository URL: https://sectigo.com/legal
Certificates Requested for Inclusion:
Sectigo Public Email Protection Root E46 (included in case 00001215):
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites: N/A
Sectigo Public Email Protection Root R46 (included in case 00001215):
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites: N/A
Sectigo Public Server Authentication Root E46 (included in case 00001215):
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Sectigo Public Server Authentication Root R46 (included in case 00001215):
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
Existing Publicly Trusted Root CAs from Sectigo:
AAA Certificate Services:
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Time Stamping 1.3.6.1.5.5.7.3.8
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome, Microsoft, and Mozilla
USERTrust ECC Certification Authority:
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Time Stamping 1.3.6.1.5.5.7.3.8
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome, Microsoft, and Mozilla
USERTrust RSA Certification Authority:
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Document Signing AATL 1.2.840.113583.1.1.5
Document Signing MS 1.3.6.1.4.1.311.10.3.12
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Time Stamping 1.3.6.1.5.5.7.3.8
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome, Microsoft, and Mozilla
COMODO Certification Authority:
Certificate download links: (CA Repository, CA Repository*, crt.sh, crt.sh*)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Time Stamping 1.3.6.1.5.5.7.3.8
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome*, Microsoft* and Mozilla
Note (*): This CA is represented in two self-signed certificates. A modification was performed in 2011 to remove the ‘CRL Distribution Points’ extension from the original certificate issued in 2006.
COMODO ECC Certification Authority:
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome, Microsoft, and Mozilla
COMODO RSA Certification Authority:
Certificate download links: (CA Repository, crt.sh)
Use cases served/EKUs:
Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Client Authentication 1.3.6.1.5.5.7.3.2
Code Signing 1.3.6.1.5.5.7.3.3
Encrypting File System 1.3.6.1.4.1.311.10.3.4
IP Security 1.3.6.1.5.5.7.3.5
Time Stamping 1.3.6.1.5.5.7.3.8
Certificate corpus: here (Censys login required)
Included in: Apple, Chrome, Microsoft, and Mozilla
Relevant Policy and Practices Documentation:
The following apply to all four (4) applicant root CAs:
Most Recent Self-Assessment:
The following apply to all four (4) applicant root CAs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1793836 (completed 12/27/2022)
Audit Statements:
Auditor: BDO International Limited (enrolled through WebTrust)
Audit Criteria: WebTrust
Date of Audit Issuance: 6/27/2022
For Period Ending: 3/31/2022
Audit Statement(s):
Standard Audit (covers all four (4) applicant root CAs)
BR (SSL) Audit (covers all four (4) applicant root CAs)
EV SSL Audit (only covers “Sectigo Public Server Authentication Root E46” and “Sectigo Public Server Authentication Root R46”)
Incident Summary (Bugzilla incidents from previous 24 months):
1708934: Sectigo: Invalid postalCode field
1710243: Sectigo: Invalid stateOrProvinceName
1712120: Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME
1712188: Sectigo: test certificates issued from trusted CA
1714193: Sectigo: Incorrect locality information
1714628: Sectigo: Forbidden Domain Validation Method
1715024: Sectigo: Misspellings in stateOrProvince or localityName fields
1715929: Sectigo: Incorrect EV businessCategory
1717046: Sectigo: potentially invalid organizational validation certificates
1718579: Sectigo: "Manual DCV" method used
1718771: Sectigo: DCV Reuse after 825 days
1718785: Sectigo: 2020 failure to respond to abuse report discovered
1720744: Sectigo: State name in localityName
1721271: Sectigo: Missing registration numbers in EV certificates
1723263: Sectigo: IP Address Domain Validation Failure
1724458: Sectigo: Mojibake in certificate Subject fields
1724476: Updates for Sectigo’s Guard Rails project
1732484: Sectigo: Truncated registration numbers in EV certificates
1735761: Sectigo: CRL validity beyond CPS allowed value
1736064: Sectigo: Subject field with unvalidated information included in certificates
1740493: Sectigo: Failure to block disallowed LDH labels in domain names
1741026: Sectigo: Incorrect JOI for federal credit unions
1741777: Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature
1747915: Sectigo: Incorrect JOI Country value
1756847: Sectigo: SC45 DCV Reuse Error
1763203: Sectigo: Incorrect OCSP responses
1782356: Sectigo: Misspelled city name in localityName field
1793787: Sectigo: Non-existent hostname in CDP and AIA URLs
1793789: Sectigo: Incorrect JOI
1796803: Sectigo: Issuance of ECC leaf certificates with non-DER encoded keyUsage
1800756: Sectigo: Failure to revoke ECC certificates with non-DER encoded keyUsage within 5 days
1812336: Sectigo: Late CCADB update after CPS update
1813989: Sectigo: Incomplete Subject organizationName
1818073: Sectigo: Late revocation for incomplete Subject organizationName
1823723: Sectigo: Incomplete Subscriber Agreement provisions
Thank you,
Chris, on behalf of the CCADB Steering Committee
Chris Clements
This is a reminder that the public discussion period on the inclusion application of Sectigo will close on Monday June 5, 2023.
Thank you,
Chris, on behalf of the CCADB Steering Committee
Chris Clements
On April 24, 2023, we began a six-week, public discussion[1] on the request from Sectigo for inclusion of its root certificate(s):
The public discussion period has now ended.
We did not receive any objections or other questions or comments in opposition to Sectigo’s request. We thank the community for its review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).
[1] https://groups.google.com/a/ccadb.org/g/public/c/1sKKdixUyFs/m/crM2RJTsAgAJ