Public Discussion of D-Trust Root Inclusion Requests

133 views
Skip to first unread message

Ben Wilson

unread,
Jan 6, 2022, 1:55:17 PM1/6/22
to dev-secur...@mozilla.org

D-Trust GmbH, a member of the Bundesdruckerei Group and wholly owned subsidiary of Bundesdruckerei GmbH (“D-Trust”)

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for D-Trust’s inclusion requests for the following two (2) root CA certificates:


D-TRUST BR Root CA 1 2020  

Download - https://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt

Bugzilla - https://bugzilla.mozilla.org/show_bug.cgi?id=1679256

CCADB - https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000688

crt.sh - https://crt.sh/?id=3699642382

 

D-TRUST EV Root CA 1 2020

Download - https://www.d-trust.net/cgi-bin/D-TRUST_EV_Root_CA_1_2020.crt

Bugzilla - https://bugzilla.mozilla.org/show_bug.cgi?id=1679258

CCADB - https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000689

crt.sh - https://crt.sh/?id=3699645135

 

Mozilla is considering approving D-Trust’s request(s) to add these roots as trust anchors with the websites trust bit enabled (and with EV for the D-TRUST EV Root CA 1 2020).

This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

Repository: The D-Trust repository is located here: https://www.bundesdruckerei.de/en/Repository

Relevant Policy and Practices Documentation:

Trust Service Practice Statement (TSPS), Version 1.3 (2021-10-15): https://www.d-trust.net/internet/files/D-TRUST_TSPS.pdf

CPS of the Certificate Service Manager (CSM CPS), Version 3.5 (2021-12-17): https://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf

Root CPS, Version 3.5 (2021-10-15): https://www.d-trust.net/internet/files/D-TRUST_Root_PKI_CPS.pdf

Self-Assessments and Mozilla CPS Reviews are located as attachments in Bug #1679258:

D-TRUST_BR_Self_Assessment_D-TRUST_EV_Root_CA_1_2020_final.xlsx

Mozilla Review of D-TRUST Compliance Self-Assessment (xls)

D-TRUST_BR_Self_Assessment_D-TRUST_Mozilla_Review-D-TRUST-Response_Final.xlsx

 

Audits:  Annual audits are performed by TÜV Informationstechnik GmbH. The most recent audits were completed for the period ending October 7, 2021:

https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2021121001_D-TRUST_BR_Root_CA_1_2020.pdf

https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2021121002_D-TRUST_EV_Root_CA_1_2020.pdf

in accordance with:

ETSI EN 319 411-1, V1.2.2 (2018-04)

ETSI EN 319 401, V2.2.1 (2018-04)

ETSI EN 319 403 V2.2.2 (2015-08)

ETSI TS 119 403-2 V1.2.4 (2020-11)

for:

EV SSL Certificate Guidelines, version 1.7.7

Baseline Requirements, version 1.7.9

Incidents

D-Trust has no open incidents in Bugzilla. The last incident (Bug #1691117: Certificate with RSA key where modulus is not divisible by 8) was closed on March 11, 2021.

I have no further questions or concerns about these inclusion requests, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of D-Trust must promptly respond directly in the discussion thread to all questions that are posted.

Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about  January 28, 2022.

Sincerely yours,

Ben Wilson

Mozilla Root Program Manager

Ben Wilson

unread,
Jan 31, 2022, 12:15:57 PM1/31/22
to dev-secur...@mozilla.org

On January 6, 2022, we began a three-week public discussion[1] of D-Trust's requests for inclusion of its two root certificates, the D-TRUST BR Root CA 1 2020  and the D-TRUST EV Root CA 1 2020. (Step 4 of the Mozilla Root Store CA Application Process[2]). 

Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:  

We did not receive any objections or other questions or comments in opposition to D-Trust’s requests. I do not believe that there are any action items for D-Trust to complete.

Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: 

This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve D-Trust’s requests (Step 10). 

This begins a 7-day “last call” period for any final objections.

Thanks,

Ben

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/0Ljc_EkPsiQ/m/9XLIROdXBAAJ

[2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview

Reply all
Reply to author
Forward
0 new messages