Public Discussion of D-Trust CA Inclusion Request

[Ben Wilson]

All,

This email commences a six-week public discussion of D-Trust’s request to include the following CA certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on December 15, 2023.

The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.  

Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted.

CCADB Case Numbers:   # 1000 and # 1001

Organization Background Information (listed in CCADB):

• CA Owner Name: D-Trust GmbH

• Website:  https://www.d-trust.net/en 

• Address:  Kommandantenstr. 15, Berlin, 10969, Germany

• Problem Reporting Mechanisms:

• https://www.d-trust.net/en/support/reporting-certificate-problem

• Organization Type: D-Trust GmbH is a subsidiary of the Bundesdruckerei Group GmbH (bdr) and is fully owned by the German State.

• Repository URL:  https://www.bundesdruckerei.de/en/Repository

Certificates Requested for Inclusion:

1. D-Trust SBR Root CA 1 2022:

• 384-bit ECC

• Certificate download links: (CA Repository, crt.sh)

• Use cases served/EKUs: 

• Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4

• Client Authentication 1.3.6.1.5.5.7.3.2

• Document Signing AATL 1.2.840.113583.1.1.5

• Document Signing MS 1.3.6.1.4.1.311.10.3.12

2. D-Trust SBR Root CA 2 2022:

• 4096-bit RSA

• Certificate download links: (CA Repository, crt.sh)

• Use cases served/EKUs: 

• Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4

• Client Authentication 1.3.6.1.5.5.7.3.2

• Document Signing AATL 1.2.840.113583.1.1.5

• Document Signing MS 1.3.6.1.4.1.311.10.3.12

Relevant Policy and Practices Documentation: 

• Certificate Policy - CP of D-Trust GmbH, v.5.1, valid from 28-Sept-2023

• Trust Services Practice Statement - TSPS of D-Trust, v.1.8, valid from 28-Sept-2023

• Certification Practice Statement - CPS of the D-Trust Root PKI, v.3.10, valid from 31-May-2023

Most Recent Self-Assessment / CPS Review:

• D-Trust - CCADB Self Assessment (v1.2) 2023 (XLS) (2-November-2023)

Audit Statements:

• Auditor: TÜV Informationstechnik GmbH

• Audit Criteria:  

• ETSI EN 319 411-1, V1.3.1 (2021-05)

• ETSI EN 319 401, V2.3.1 (2021-05)

• Baseline Requirements, version 1.8.4

• ETSI EN 319 403 V2.2.2 (2015-08)

• ETSI TS 119 403-2 V1.2.4 (2020-11)

• Date of Audit Issuance: December 16, 2022

• For Period of Time: 2022-07-06 to 2022-10-07 

• Audit Statement(s):  

• https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2022121606_D-Trust_SBR_Root_CA_1_2022.pdf

• https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2022121607_D-Trust_SBR_Root_CA_2_2022.pdf

Thank you,

Ben, on behalf of the CCADB Steering Committee

[Ben Wilson]

All,

Regarding the D-Trust Certification Practice Statement—instead of referencing the D-Trust Root PKI CPS, it should have referenced the CPS of the D-Trust CSM PKI, v.4.0, valid from 28-September-2023 (https://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf) (from 19 July 2023, the CSM PKI CPS applies to certificates with policy levels QEVCP-w, QNCP-w, EVCP, OVCP and LCP).

Also, it didn’t mention the following Bugzilla bugs opened in the past 24 months:

1756122	D-TRUST: Wrong key usage (Key Agreement)	RESOLVED	[dv-misissuance]
1793440	D-TRUST: CRL not DER-encoded	RESOLVED	[crl-failure]
1861069	D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject	OPEN	[dv-misissuance]
1862082	D-Trust: Delay beyond 5 days in revoking misissued certificate	OPEN	[leaf-revocation-delay]

 

Ben

[Ben Wilson]

Greetings,

This is a reminder that the public discussion period on the inclusion application of D-Trust will close next Friday, December 15, 2023.

Thank you,
Ben Wilson, on behalf of the CCADB Steering Committee

[Ben Wilson]

All,

On November 3, 2023, we began a six-week, public discussion[1] on the following root CA certificates issued by D-Trust:

1. D-Trust SBR Root CA 1 2022:

• 384-bit ECC

• Certificate download links: (CA Repository, crt.sh)

• Use cases served/EKUs: 

• Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4

• Client Authentication 1.3.6.1.5.5.7.3.2

• Document Signing AATL 1.2.840.113583.1.1.5

• Document Signing MS 1.3.6.1.4.1.311.10.3.12

2. D-Trust SBR Root CA 2 2022:

• 4096-bit RSA

• Certificate download links: (CA Repository, crt.sh)

• Use cases served/EKUs: 

• Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4

• Client Authentication 1.3.6.1.5.5.7.3.2

• Document Signing AATL 1.2.840.113583.1.1.5

• Document Signing MS 1.3.6.1.4.1.311.10.3.12

The public discussion period ended last Friday, December 15, 2023.

We did not receive any objections or other questions or comments in opposition to D-Trust’s request. We thank the community for its review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (e.g. MDSP).

Thanks,

Ben Wilson

On behalf of the CCADB Steering Committee

[1] https://groups.google.com/a/ccadb.org/g/public/c/EPVczE_6oCc/m/s90nO9-EBAAJ