All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for SECOM Trust Systems’ inclusion request (Bug # 1313982, CCADB Case # 84) for the following two root CA certificates:
Security Communication RootCA3 (websites and email trust bits)
Download – https://repository.secomtrust.net/SC-Root3/SCRoot3ca.cer
crt.sh - https://crt.sh/?sha256=24A55C2AB051442D0617766541239A4AD032D7C55175AA34FFDE2FBC4F5C5294
Security Communication ECC RootCA1 (websites and email trust bits)
Download – https://repository.secomtrust.net/SC-ECC-Root1/SCECCRoot1ca.cer
crt.sh - https://crt.sh/?sha256=E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11
Mozilla is considering approving SECOM’s request to add these two roots as trust anchors with the websites and email trust bits enabled. SECOM is not seeking enablement for Extended Validation (EV) under the CA/Browser Forum’s EV Guidelines.
Repository: The SECOM document repository is located here: https://repository.secomtrust.net.
Relevant Policy and Practices Documents are as follows:
Security Communication RootCA Subordinate CA Certificate Policy, v. 5.19, dated June 10, 2022,
https://repository.secomtrust.net/SC-Root/SCRootCP1-EN.pdf;
Security Communication RootCA Certification Practice Statement, v. 5.16, dated June 10, 2022,
https://repository.secomtrust.net/SC-Root/SCRootCPS-EN.pdf;
SECOM Passport for Web SR Certification Authority Certificate Policy, v. 3.0, dated June 10, 2022,
https://repo1.secomtrust.net/spcpp/pfw/pfwsr3ca/PfWSRCA-CP-EN.pdf; and
SECOM Digital Certification Infrastructure Certification Practice Statement, v. 2.16, dated June 10, 2022,
https://repo1.secomtrust.net/spcpp/cps/SECOM-CPS-EN.pdf.
Self-Assessments and Mozilla CPS Reviews are located within Bug # 1313982:
CA Compliance Self Assessment_20220704.xlsx
Comment #41 – Mozilla’s CP/CPS Review
CP-CPS_Review-20220704-final.xlsx
Audits: Annual audits have been performed by KPMG in accordance with the Webtrust Principles and Criteria for Certification Authorities. The most recent audits available were published in August 2021 for the period ending June 6, 2021. See
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=ee0fc63f-baa8-47c5-8353-8065ac4afaa5 (Standard Webtrust)
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=2fc14557-e88f-47d7-85ed-33a35a3ce655 (WebTrust Baseline Requirements and Network and Certificate System Security Requirements)
Incidents
Here are the Bugzilla incidents involving SECOM with an "open" status during this past year:
1695786 Unqualified domain name of "sgnwffw001" in SAN extension
1695938 FUJIFILM intermediate not listed in audit statement
1705480 CP/CPS does not clearly specify domain validation methods
1707229 Delayed Revocation of non-technically constrained FUJIFILM Certificates
1717044 CA Certificates Missing from Audit Reports
1735998 Root CRLs exceed maximum validity period by 1 second
1769222 Failed an annual update of Cybertrust Japan
(CTJ) CPS
I have no further questions or concerns about SECOM’s inclusion request; however, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of SECOM must promptly respond directly in the discussion thread to all questions that are posted.
This email begins a 3-week period for public discussion and comment, which I’m scheduling to close on or about July 27, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Sincerely yours,
Ben Wilson
Mozilla Root Program Manager
All,
On July 5, 2022, we began a three-week public discussion[1] on the request from SECOM for inclusion of its two root certificates, the Security Communication RootCA3 and the Security Communication ECC RootCA1. (Step 4 of the Mozilla Root Store CA Application Process[2]).
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
We did not receive any objections or other questions or comments in opposition to SECOM’s request. I do not believe that there are any action items for SECOM to complete.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve SECOM’s request (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d3LIsEHnJkc/m/RJ223GFbAgAJ
[2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview