Public Discussion of SECOM Trust Systems' Inclusion Request

281 views
Skip to first unread message

Ben Wilson

unread,
Jul 5, 2022, 6:26:45 PM7/5/22
to dev-secur...@mozilla.org

All,

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for SECOM Trust Systems’ inclusion request (Bug # 1313982, CCADB Case # 84) for the following two root CA certificates:

Security Communication RootCA3 (websites and email trust bits)

Download –  https://repository.secomtrust.net/SC-Root3/SCRoot3ca.cer

crt.sh - https://crt.sh/?sha256=24A55C2AB051442D0617766541239A4AD032D7C55175AA34FFDE2FBC4F5C5294

Security Communication ECC RootCA1 (websites and email trust bits)

Download –  https://repository.secomtrust.net/SC-ECC-Root1/SCECCRoot1ca.cer

crt.sh - https://crt.sh/?sha256=E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11


Mozilla is considering approving SECOM’s request to add these two roots as trust anchors with the websites and email trust bits enabled. SECOM is not seeking enablement for Extended Validation (EV) under the CA/Browser Forum’s EV Guidelines.


Repository: The SECOM document repository is located here: https://repository.secomtrust.net.

Relevant Policy and Practices Documents are as follows:

Security Communication RootCA Subordinate CA Certificate Policy, v. 5.19, dated June 10, 2022,

https://repository.secomtrust.net/SC-Root/SCRootCP1-EN.pdf;

Security Communication RootCA Certification Practice Statement, v. 5.16, dated June 10, 2022,

https://repository.secomtrust.net/SC-Root/SCRootCPS-EN.pdf;

SECOM Passport for Web SR Certification Authority Certificate Policy, v. 3.0, dated June 10, 2022,

https://repo1.secomtrust.net/spcpp/pfw/pfwsr3ca/PfWSRCA-CP-EN.pdf; and

SECOM Digital Certification Infrastructure Certification Practice Statement, v. 2.16, dated June 10, 2022,

https://repo1.secomtrust.net/spcpp/cps/SECOM-CPS-EN.pdf.


Self-Assessments and Mozilla CPS Reviews are located within Bug # 1313982:

CA Compliance Self Assessment_20220704.xlsx

Comment #41 – Mozilla’s CP/CPS Review

CP-CPS_Review-20220704-final.xlsx


Audits:  Annual audits have been performed by KPMG in accordance with the Webtrust Principles and Criteria for Certification Authorities. The most recent audits available were published in August 2021 for the period ending June 6, 2021.  See

https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=ee0fc63f-baa8-47c5-8353-8065ac4afaa5 (Standard Webtrust)

https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=2fc14557-e88f-47d7-85ed-33a35a3ce655 (WebTrust Baseline Requirements and Network and Certificate System Security Requirements)


Incidents

Here are the Bugzilla incidents involving SECOM with an "open" status during this past year:

1695786 Unqualified domain name of "sgnwffw001" in SAN extension

1695938 FUJIFILM intermediate not listed in audit statement

1705480 CP/CPS does not clearly specify domain validation methods

1707229  Delayed Revocation of non-technically constrained FUJIFILM Certificates

1717044  CA Certificates Missing from Audit Reports

1735998  Root CRLs exceed maximum validity period by 1 second

1769222  Failed an annual update of Cybertrust Japan (CTJ) CPS            

   

I have no further questions or concerns about SECOM’s inclusion request; however, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of SECOM must promptly respond directly in the discussion thread to all questions that are posted.

This email begins a 3-week period for public discussion and comment, which I’m scheduling to close on or about July 27, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).


Sincerely yours,

Ben Wilson

Mozilla Root Program Manager

Ben Wilson

unread,
Aug 2, 2022, 8:22:19 PM8/2/22
to dev-secur...@mozilla.org

All,

On July 5, 2022, we began a three-week public discussion[1] on the request from SECOM for inclusion of its two root certificates, the Security Communication RootCA3 and the Security Communication ECC RootCA1. (Step 4 of the Mozilla Root Store CA Application Process[2]). 

Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:  

We did not receive any objections or other questions or comments in opposition to SECOM’s request. I do not believe that there are any action items for SECOM to complete.

Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: 

This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve SECOM’s request (Step 10). 

This begins a 7-day “last call” period for any final objections.

Thanks,

Ben

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d3LIsEHnJkc/m/RJ223GFbAgAJ

[2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview

Reply all
Reply to author
Forward
0 new messages