Intent to Approve Cybertrust / JCSI Japan Root Inclusions

1,312 views
Skip to first unread message

Ben Wilson

unread,
Jul 8, 2024, 11:46:48 AMJul 8
to dev-secur...@mozilla.org
All,

From May 10, 2024, through June 21, 2024, a six-week public discussion was conducted regarding the request from Cybertrust Japan / JCSI for the inclusion of the following root certificates:
  • SecureSign Root CA12
  • SecureSign Root CA14
  • SecureSign Root CA15

https://groups.google.com/a/ccadb.org/g/public/c/4OuyyOD-7ng/m/1ot5MFk4AAAJ

There were no objections, questions, or comments in opposition to the request.

This email is notice that Mozilla intends to approve the inclusion of the above-mentioned root certificates from Cybertrust Japan / JCSI.

This begins a 7-day “last call” period for any final objections. Should there be any further concerns, please share them within this period.

Thanks,

Ben Wilson

Mozilla Root Store Manager


Doug Beattie

unread,
Jul 8, 2024, 3:26:52 PMJul 8
to Ben Wilson, dev-secur...@mozilla.org

Hi Ben,

 

The older 2 roots were well separated with one having server auth and client auth, and the other secure mail and code signing EKS, but the new set of 3 has Server auth in all of them along with a mix of other EKUs. 

 

When do CAs need to start providing dedicated TLS roots?

 

Doug

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ%3DN0-G52whyR-iMD0jFiSxnBgrufMZMWkPSLfmuX0_MQ%40mail.gmail.com.

Ben Wilson

unread,
Jul 8, 2024, 5:19:08 PMJul 8
to Doug Beattie, dev-secur...@mozilla.org
Hi Doug,
Thanks for the question. I don't think we have set a date, but I'll continue to look into this to see if a date was ever proposed.  In any event, we should open an issue in GitHub to remove this uncertainty. For Cybertrust Japan, I will need to look at the information in Bugzilla and the CCADB, but initially it appears that at least with Chrome they are only seeking inclusion of SecureSign Root CA12 for TLS. For SecureSign Root CA14 and SecureSign Root CA15, I may have missed where they might have already withdrawn one or both of them, but I'll have to read up. Sorry for the confusion.
Please feel free to ask any additional follow-up questions.
Thanks again,
Ben

Doug Beattie

unread,
Jul 10, 2024, 5:39:55 AMJul 10
to Mitsuyoshi Tamura, dev-secur...@mozilla.org, Ben Wilson, dev-secur...@mozilla.org

Hi Tamura-san,


Thank you for your clarification!

 

Doug

 

From: Mitsuyoshi Tamura <mitsuyos...@miraclelinux.com>
Sent: Tuesday, July 9, 2024 10:50 PM
To: dev-secur...@mozilla.org
Cc: Ben Wilson <bwi...@mozilla.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Doug Beattie <doug.b...@globalsign.com>
Subject: Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

 

Greetings,
We are aware of Mozilla's "Recommended Practices," that states that a single-purpose root is preferred.  Among three root CAs that we are requesting, CA 12 has already changed to become a single-purpose root CA.  Regarding CA14 and 15, we will also change for single purpose before start issuing certificates for subscribers.

Best regards,
Mitsuyoshi Tamura
Cybertrust Japan

P.S.
Please allow me to comment by miraclelinux.com domain that our company possess.

202479日火曜日 6:19:08 UTC+9 Ben Wilson:

Mitsuyoshi Tamura

unread,
Jul 10, 2024, 10:06:04 AMJul 10
to dev-secur...@mozilla.org, Ben Wilson, dev-secur...@mozilla.org, Doug Beattie
Greetings,
We are aware of Mozilla's "Recommended Practices," that states that a single-purpose root is preferred.  Among three root CAs that we are requesting, CA 12 has already changed to become a single-purpose root CA.  Regarding CA14 and 15, we will also change for single purpose before start issuing certificates for subscribers.

Best regards,
Mitsuyoshi Tamura
Cybertrust Japan

P.S.
Please allow me to comment by miraclelinux.com domain that our company possess.

2024年7月9日火曜日 6:19:08 UTC+9 Ben Wilson:
Hi Doug,

Ben Wilson

unread,
Jul 10, 2024, 10:09:36 AMJul 10
to Mitsuyoshi Tamura, dev-secur...@mozilla.org, Doug Beattie
Dear Mitsuyoshi,

Thanks for your response. For purposes of Mozilla trust bits - "websites" and "email", could you specify at this time the key purpose for CA14 and CA15?

Ben

Mitsuyoshi Tamura

unread,
Jul 11, 2024, 6:19:57 AMJul 11
to dev-secur...@mozilla.org, Ben Wilson, dev-secur...@mozilla.org, Doug Beattie, Mitsuyoshi Tamura
Dear Ben,

Thank you for your help.
We would like Mozilla to set the key purpose of "websites"  for both CA14 and 15.


Best regards,
Mitsuyoshi Tamura
Cybertrust Japan

2024年7月10日水曜日 23:09:36 UTC+9 Ben Wilson:

Ben Wilson

unread,
Jul 11, 2024, 12:23:32 PMJul 11
to Mitsuyoshi Tamura, dev-secur...@mozilla.org, Doug Beattie
Thanks for reconfirming. I should have noted in my initial post that these three roots are just for the websites trust bit, and I am going to continue to assume that all three will be EV-enabled.
Ben
Reply all
Reply to author
Forward
0 new messages