Public Discussion of Certainly's Root Inclusion Request
Ben Wilson
All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for an inclusion request filed by Certainly, LLC (Bug # 1727941, CCADB Case # 829) for the following two (2) root CA certificates:
Certainly Root R1 (websites trust bit only)
https://crt.sh/?sha256=77B82CD8644C4305F7ACC5CB156B45675004033D51C60C6202A8E0C33467D3A0
Certainly Root E1 (websites trust bit only)
https://crt.sh/?sha256=B4585F22E4AC756A4E8612A1361C5D9D031A93FD84FEBB778FA3068B0FC42DC2
Certainly is currently the subject of an ongoing public discussion in relation to GoDaddy’s intent to cross-sign two issuing CAs to be operated by Certainly. In that proceeding, Certainly would be an external, third-party operator of non-technically-constrained issuing CAs. In this proceeding, Certainly’s two roots would be added to NSS and Firefox as trust anchors with the websites trust bit and Certainly would be a root CA operator. The information collected and reviewed by GoDaddy, me, and others during the cross-signing application proceeding (Bug #1755851) is useful in considering this root inclusion request, as are comments and information presented in that public discussion (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/bEnn98Dajzc/m/32NwZHWSAAAJ).
Repository: The Certainly document repository is located here:
https://www.certainly.com/repository/
Relevant Policy and Practices Documentation:
Certificate Policy / Certification Practice Statement, v. 1.3, dated March 1, 2022
https://www.certainly.com/repository/CertainlyCP-CPS.pdf
Self-Assessments and CPS Reviews are located as attachments in the following two (2) bugs: Bug # 1727941 and Bug # 1755851. Specifically, https://bugzilla.mozilla.org/attachment.cgi?id=9270636 (review performed by me on 4-Mar-2022) and https://bugzilla.mozilla.org/attachment.cgi?id=9267213 (Certainly’s updated Self-Assessment, dated 9-Mar-2022).
Value-vs-Risk Justification from Certainly - https://bugzilla.mozilla.org/attachment.cgi?id=9270080
Audits: Point-in-time audits (dated June 30, 2021) were performed by Schellman & Company in accordance with WebTrust Principles and Criteria for Certification Authorities, v. 2.2.1, and WebTrust SSL Baseline with Network Security, v. 2.5. See https://www.certainly.com/repository/audit/index.html
Incidents
Certainly has no open incidents in Bugzilla.
In the past 12 months, there were two (2) incidents involving Certainly, which are now closed as fixed:
1732745 Root CRL validity period exceeded maximum stated period by one second
1752452 TLS Using ALPN TLS Version and OID
I have no further questions or concerns about Certainly’s inclusion request. However, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Certainly must promptly respond directly in the discussion thread to all questions that are posted.
This email begins the 3-week comment period, which I’m scheduling to close on or about April 25, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Sincerely yours,
Ben Wilson
Mozilla Root Program Manager
Ben Wilson
All,
On April 3, 2022, we began a three-week public discussion[1] on the request from Certainly for inclusion of its two root certificates, the Certainly Root R1 and the Certainly Root E1. (Step 4 of the Mozilla Root Store CA Application Process[2]).
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
We did not receive any objections or other questions or comments
in opposition to Certainly’s request.
I do not believe that there are any action items for Certainly to complete.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve Certainly’s request (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/58CH8CMwBgAJ
[2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview