This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the Certum Trusted Root CA and the Certum EC-384 CA. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).
These two (2) new root CA certificates were created in 2018 and
are valid until 2043. They are proposed for inclusion with the email trust bit, the
websites bit, and EV enabled.
The root CAs are run by an existing CA operator in the Mozilla Root Program - Asseco Data Services (“Asseco”), part of the Asseco Group.
Asseco's CA inclusion application has been tracked in the CCADB and in Bugzilla–
Mozilla is considering approving Asseco’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Root Certificate Information:
Certum Trusted Root CA
Download - http://repository.certum.pl/ctrca.pem
Certum EC-384 CA
Download - https://repository.certum.pl/cec384ca.pem
Current CP is Version 4.5, dated 19-Feb-2020.
Current CPS is Version 6.9, dated 21-December-2020.
My review comments to CPS version 6.9 can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1598577#c14.
Document repository location(s):
Asseco's BR Self-Assessment (PDF) is located here:
Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from Ernst & Young sp. z o.o. (E&Y). These were issued on May 18, 2020. Asseco’s most recently ended audit period ended on February 10, 2021, and Asseco expects to receive audit letters for that audit period sometime in April 2021.
For your review, past incidents filed between 2018-2020, now closed, involving Asseco include the following:
1433118 Certificate with compromised private key not revoked
1435770 Non-BR-Compliant Issuance - Debian Weak Keys
1451228 EV certificate mis-issue
1495518 Unallowed key usage for EC public key (Key Encipherment)
1511459 Corrupted certificates
1518560 Use of forbidden subjectPublicKeyInfo algorithm
1524195 Invalid dnsNames
1550575 commonName not from subjectAltName entries
1566586 Overdue Audit Statements 2019
1567062 Inconsistent disclosure of externally-operated intermediate
1598277 CA certificates not listed in audit report
1600158 Failure to revoke intermediate certificates within the BR time period
1600301 EV Certificates issued with wrong Business Category
1611458 Invalid value in SAN dNSName
1639502 Incorrect OCSP response encoding
1667684 Failure to provide a preliminary report within 24 hours.
1667986 Invalid stateOrProvinceName field
1668523 Failure to revoke within 5 days
These CAs, and their associated test certificates, were checked for revocation processing, misissuances, and EV compatibility, and they passed those tests.
Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Wednesday, 14-April-2021.
A representative of Asseco must promptly respond directly in the discussion thread to all questions that are posted.
Mozilla Root Program
On March 22, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] on Asseco’s request to include the Certum Trusted Root CA (RSA) and the Certum EC-384 CA (ECC) in the root store. See https://groups.google.com/g/mozilla.dev.security.policy/c/_A7OX4Tz65k/m/S0CWpqMPAwAJ, reposted here https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/1VjzYhp_ykc/m/w6i22HTVBQAJ). The 3-week comment period has now passed, and I do not believe there are any issues to summarize or open action items for Asseco to complete.
This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve Asseco’s request for inclusion [Step 10].
This begins a 7-day “last call” period (through April 22, 2021) for any final objections.