Public Discussion: Approval of JPRS as an Externally-Operated Subordinate CA under SECOM Root

141 views
Skip to first unread message

Ben Wilson

unread,
Feb 2, 2026, 5:01:49 PM (9 days ago) Feb 2
to dev-secur...@mozilla.org

Greetings,

This message begins a three-week public discussion regarding a request by SECOM Trust Systems CO., LTD. for approval of JPRS as an externally-operated, non-technically-constrained subordinate CA under section 8.4 of Mozilla’s Root Store Policy [1] as well as guidance found in the Mozilla CA wiki [2].

Overview of the Process

When a subordinate CA is operated by a third party and is not technically constrained, Mozilla requires a formal approval process before certificate issuance may begin. This process is intended to ensure that externally-operated subordinate CAs are held to the same level of accountability as approved CA operators, while providing a process with a narrower scope than one for full root inclusion.

Unlike root inclusions, this approval process is not performed on a per-certificate basis but evaluates the qualifications of the subordinate CA operator to issue a specific type of certificate (e.g., TLS, S/MIME, or both), provided that the subordinate CA continues to comply with applicable policies, practices, and audit scope.

Approval under this process does not diminish the responsibility of the root CA operator. As stated in MRSP §8.4, the root CA operator remains fully and ultimately accountable for all certificates issued under its root, including those issued by externally-operated subordinate CAs.

Summary of the Request

  • Root CA Operator: SECOM Trust Systems CO., LTD.
  • Subordinate CA Operator: JPRS (Japan Registry Services Co., Ltd.)
  • Type of CA: Externally-operated subordinate CA
  • Certificate Types: TLS server authentication
  • Purpose: Approval of JPRS, as an entity, to operate as an externally-operated subordinate CA under SECOM’s publicly trusted root, for the issuance of TLS certificates, subject to Mozilla policy.
  • Approval Request in Bugzilla:  Bug # 1941966 [3]

Documentation and Review

The root CA operator (SECOM) has provided the required documentation for this request, both in Bugzilla and the CCADB, beginning with Comment 3 [4] in the bug, including:

1. Identity - Japan Registry Services Co., Ltd (JPRS has operated as a subordinate CA of SECOM for at least 10 years)

2. Website URL - https://jprs.jp/

3. CA Hierarchy

SECOM’s Security Communication RootCA2  

           JPRS Domain Validation Authority - G4

JPRS Organization Validation Authority - G4

SECOM’s Security Communication ECC RootCA1

JPRS DV ECC CA 2024 G1

JPRS OV ECC CA 2024 G1

SECOM TLS RSA Root CA 2024

JPRS DV RSA CA 2024 G1

JPRS OV RSA CA 2024 G1

4. Certificate Profiles [5]

5. CP/CPS (v. 2.10 dated Nov. 28, 2025)

JPRS-CPCPS-en.pdf [6]

JPRS-CPCPS-en.md [7]

6. Audit Information

Standard Webtrust Audit [8]

Baseline Requirements Webtrust Audit [9]

Network Security Webtrust Audit [10]

7.  JPRS’s Self Assessment (v.1.5) dated Aug. 22, 2025 [11]

8.  Value Justification [12]

9.   Additional Information from the CCADB

ACME Directory URLc-n  [13]

DV Automation Test Certificate Website [14]

SECOM has reviewed and verified the completeness and accuracy of the required documentation.

A Mozilla representative has performed an independent review of the subordinate CA’s policy and audit materials.

Public Discussion

This public discussion will remain open for three weeks, concluding on February 23, 2026.

Community members are invited to review the documentation and provide comments, questions, or concerns related to:

  • Compliance with Mozilla Root Store Policy
  • Audit coverage and scope
  • Domain validation practices
  • Risk considerations associated with externally-operated subordinate CAs
  • Any other matters of concern

SECOM and JPRS are expected to monitor this discussion and respond to questions as appropriate.

At the conclusion of the discussion period, Mozilla will:

  • Summarize the discussion and feedback
  • Record an approval or rejection decision in the discussion thread and in Bugzilla
  • Update the CCADB accordingly

If approved, JPRS may operate as an externally-operated subordinate CA under SECOM’s root for the approved certificate type (TLS), subject to continued compliance with Mozilla policy.

Thank you for your participation in this review.

Ben Wilson
Mozilla Root Program 

References:

[1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas

[2] https://wiki.mozilla.org/CA/External_Sub_CAs

[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966

[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c3

[5] https://bugzilla.mozilla.org/attachment.cgi?id=9459795

[6] https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.pdf
[7] https://jprs.jp/pubcert/info/repository/JPRS-CPCPS-en.md

[8] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=941b8d1b-4c26-40c2-8dab-17159e9f1ac4

[9] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=cb5de8d1-f9db-4a6e-a461-9b14361d2e26

[10] https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=517f0f07-0d89-4114-8970-745cd0ea1688

[11] https://bugzilla.mozilla.org/attachment.cgi?id=9509482

[12] https://bugzilla.mozilla.org/show_bug.cgi?id=1941966#c6

[13] https://acme.amecert.jprs.jp/DV/getDirectory

[14] https://dvrsa2024v.secomtrust-verification.com


Reply all
Reply to author
Forward
0 new messages