Public Discussion of SECOM Externally-Operated S/MIME CA
Ben Wilson
All,
This email commences a public discussion period that will run through Friday, January 10, 2025. This is regarding the issuance of S/MIME certificates by Cybertrust Japan (CTJ) under an externally-operated subordinate CA issued by SECOM (see Mozilla Root Store Policy, Section 8.4).
Both SECOM and CTJ are included as CA owners/operators in one or more root stores, but CTJ does not currently have any of its own root certificates enabled for S/MIME issuance. (In the new year, we will commence a 6-week discussion period for the CTJ SecureSign Root CA16, which CTJ has submitted for inclusion as a root certificate for S/MIME issuance.)
The purpose of this public discussion is to promote openness and transparency. Each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on
this CCADB Public list by replying directly to this discussion thread.
Representatives of SECOM or CTJ, as the case may be, will respond directly in
this thread to all questions that are posted.
However, please note that due to internationally-recognized holidays, some responses
may be delayed.
Request Details:
Bugzilla Case Number: # 1933132 - SECOM’s Request re: Cybertrust Japan SureMail CA G5
(Note that signing/issuance of the external Sub CA can occur before completion of public discussion and root store approval, as long as the external Sub CA does not issue end entity certificates.)
Organization Background:
- Owner/Operator of External Sub-CA: Cybertrust Japan Co., Ltd.
- Website: https://www.cybertrust.co.jp/
- Address: ARK Hills Sengokuyama Mori Tower 35F, 1-9-10 Roppongi, Minato-ku, Tokyo, 106-0032
- Problem Reporting Mechanisms: evc-r...@cybertrust.ne.jp
- Organization Type: Private Corporation
- Repository URL (Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)):
https://www.cybertrust.ne.jp/ssl/repository/
Certificate Requested for Approval:
Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA):
- Root CA: SECOM’s Security Communication RootCA2
- Certificate profile: https://bugzilla.mozilla.org/attachment.cgi?id=9439631 (.xlsx)
- Use cases served/EKUs:
Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
Existing Publicly Trusted CAs from SECOM and CTJ:
SECOM and CTJ already have several root CAs included in root
stores. The requested subordinate CA represent CTJ’s efforts to realize S/MIME issuance
capabilities. SECOM confirms that it has reviewed and validated CTJ’s policy
and audit documentation.
Relevant Policy and Practices Documentation:
- CTJ S/MIME Certificate Policy (CP)
https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf
- CTJ Certification Practice Statement (CPS):
Most Recent Self-Assessments:
- Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA):
Assessment of CTJ in Bugzilla Attachment #9439634 (.xlsx) (completed Sept. 24, 2024)
Audit Statements:
- Auditor: KPMG
- Audit Criteria: WebTrust
- Recent Audit Statements:
https://bugzilla.mozilla.org/attachment.cgi?id=9439632
Incident Summary:
SECOM has previously reported two incidents in Bugzilla related to CTJ. In both cases, SECOM and CTJ worked together promptly to investigate and address the issues, taking swift action, and successfully closing them.
- SECOM:
EV certificate mis-issued with the incorrect Registration Number by CTJ
https://bugzilla.mozilla.org/show_bug.cgi?id=1805866 - SECOM: CTJ
failed to make an annual CPS update
https://bugzilla.mozilla.org/show_bug.cgi?id=1769222
Also, please let me know if you have any questions concerning this process.
Thank you,
Ben Wilson
Jeremy Rowley
masaru....@cybertrust.co.jp
Replying from Cybertrust Japan.
Jeremy,
Thank you for comment. We are going to use pkilint and zlint for pre-issuance lint tesitng for CA G5 that is a scope of this public discussion when start issuing subscriber certificates. In fact, we are using those linters for G4, that is also a S/MIME CA
and had been issuing production EE certificate.
Best regards,
Mo (Masar)
送信日時: Saturday, December 21, 2024 1:03:47 AM
宛先: CCADB Public <pub...@ccadb.org>
CC: Ben Wilson <bwi...@mozilla.com>
件名: Re: Public Discussion of SECOM Externally-Operated S/MIME CA
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org.
Ben Wilson
Ben Wilson
On December 18, 2024, we began a public discussion period regarding the issuance of S/MIME certificates by Cybertrust Japan (CTJ) under an externally-operated subordinate CA issued by SECOM, as detailed in Bugzilla Case #1933132. This discussion concluded on January 10, 2025.
Summary of Discussion
Discussion Item #1: Use of Linters for Pre-Issuance Testing
Jeremy Rowley suggested that all externally operated ICAs be required to use pre-issuance linting tools, such as pkilint or metalint, for S/MIME certificates to ensure compliance.
Masaru Sakamoto, representing Cybertrust Japan, confirmed that they will use pkilint and zlint for pre-issuance linting for Cybertrust Japan SureMail CA G5. He also shared that they already use these linters for their existing S/MIME CA, G4, which has issued production end-entity certificates.
No additional comments or objections were raised during the discussion period.
Next Steps
We thank you for your review, comments, and participation during this public discussion period. Root Store Programs will independently make further decisions based on their respective policies, timelines, and criteria. Any further discussion may occur in independently managed Root Store community forums, such as MDSP.
Thank you,
Ben Wilson
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/d3d11d05-088d-4533-8bcf-d56149b23852n%40ccadb.org.