Public Discussion of Asseco's Root Inclusion Request

Skip to first unread message

Ben Wilson

Apr 7, 2021, 3:50:08 PMApr 7
Reposting to this dev-security-policy list.

---------- Forwarded message ---------
From: Ben Wilson <>
Date: Mon, Mar 22, 2021 at 10:35 PM
Subject: Public Discussion of Asseco's Root Inclusion Request
To: mozilla-dev-security-policy <>

Dear All,

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the Certum Trusted Root CA and the Certum EC-384 CA.  See, (Steps 4 through 9).

These two (2) new root CA certificates were created in 2018 and are valid until 2043. They are proposed for inclusion with the email trust bit, the websites bit, and EV enabled.

The root CAs are run by an existing CA operator in the Mozilla Root Program - Asseco Data Services (“Asseco”), part of the Asseco Group.

Asseco's CA inclusion application has been tracked in the CCADB and in Bugzilla–

Mozilla is considering approving Asseco’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

Root Certificate Information:

Certum Trusted Root CA –

Download -

Certum EC-384 CA –

Download -


Current CP is Version 4.5, dated 19-Feb-2020.

Current CPS is Version 6.9, dated 21-December-2020.

My review comments to CPS version 6.9 can be found here:


Document repository location(s):

Asseco's BR Self-Assessment (PDF) is located here:


Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from Ernst & Young sp. z o.o. (E&Y).  These were issued on May 18, 2020.  Asseco’s most recently ended audit period ended on February 10, 2021, and Asseco expects to receive audit letters for that audit period sometime in April 2021. 


For your review, past incidents filed between 2018-2020, now closed, involving Asseco include the following:

1433118             Certificate with compromised private key not revoked

1435770             Non-BR-Compliant Issuance - Debian Weak Keys

1451228             EV certificate mis-issue

1495518             Unallowed key usage for EC public key (Key Encipherment)

1511459             Corrupted certificates

1518560             Use of forbidden subjectPublicKeyInfo algorithm

1524195             Invalid dnsNames

1550575             commonName not from subjectAltName entries

1566586             Overdue Audit Statements 2019

1567062             Inconsistent disclosure of externally-operated intermediate

1598277             CA certificates not listed in audit report

1600158             Failure to revoke intermediate certificates within the BR time period

1600301             EV Certificates issued with wrong Business Category

1611458             Invalid value in SAN dNSName

1639502             Incorrect OCSP response encoding

1667684             Failure to provide a preliminary report within 24 hours.

1667986             Invalid stateOrProvinceName field

1668523             Failure to revoke within 5 days


Test Results:

These CAs, and their associated test certificates, were checked for revocation processing, misissuances, and EV compatibility, and they passed those tests.

Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Wednesday, 14-April-2021.


A representative of Asseco must promptly respond directly in the discussion thread to all questions that are posted.


Sincerely yours,

Ben Wilson

Mozilla Root Program

Ben Wilson

Apr 15, 2021, 3:57:23 PMApr 15

Hi All,

On March 22, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] on Asseco’s request to include the Certum Trusted Root CA (RSA) and the Certum EC-384 CA (ECC) in the root store. See, reposted here  The 3-week comment period has now passed, and I do not believe there are any issues to summarize or open action items for Asseco to complete. 

This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve Asseco’s request for inclusion [Step 10].  

This begins a 7-day “last call” period (through April 22, 2021) for any final objections.



Reply all
Reply to author
0 new messages