All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for DigiCert’s inclusion request (Bug # 1706228, CCADB Case # 743) for the following root CA certificates:
DigiCert TLS RSA4096 Root G5 (websites trust bit, EV)
Download – https://cacerts.digicert.com/DigiCertRSA4096RootG5.crt.pem
crt.sh - https://crt.sh/?SHA256=371A00DC0533B3721A7EEB40E8419E70799D2B0A0F2C1D80693165F7CEC4AD75
DigiCert TLS ECC P384 Root G5 (websites trust bit, EV)
Download – https://cacerts.digicert.com/DigiCertECCP384RootG5.crt.pem
crt.sh – https://crt.sh/?SHA256=018E13F0772532CF809BD1B17281867283FC48C6E13BE9C69812854A490C1B05
DigiCert SMIME RSA4096 Root G5 (email trust bit)
Download – https://cacerts.digicert.com/DigiCertSMIMERSA4096RootG5.crt.pem
crt.sh - https://crt.sh/?SHA256=90370D3EFA88BF58C30105BA25104A358460A7FA52DFC2011DF233A0F417912A
DigiCert SMIME ECC P384 Root G5 (email trust bit)
Download – https://cacerts.digicert.com/DigiCertSMIMEECCP384RootG5.crt.pem
crt.sh - https://crt.sh/?SHA256=E8E8176536A60CC2C4E10187C3BEFCA20EF263497018F566D5BEA0F94D0C111B
Mozilla is considering approving DigiCert’s request to add these four (4) roots as trust anchors with the trust bits and EV-enabled as indicated above.
Repository: The DigiCert document repository is located here: https://www.digicert.com/legal-repository
Relevant Policy and Practices Documentation:
Certificate Policy, v. 5.9, dated January 21, 2022
https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cp-v5-9.pdf
Certification Practices Statement, v. 5.9, dated January 21, 2022
https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cps-v5-9.pdf
Self-Assessments and Mozilla CPS Reviews are located as attachments in Bug # 1706228:
Mozilla Review of DigiCert CP/CPS and Compliance Self-Assessment (xls)
DigiCert Replies to CP/CPS Review and Compliance Self-Assessment (xls)
Audits: Annual audits have been performed by BDO. The most recent audits were completed for the period ending September 30, 2021. See https://www.digicert.com/webtrust-audits.
Incidents
DigiCert has no open incidents in Bugzilla. In the past year, there have been five incidents involving DigiCert, which are now closed satisfactorily:
I have no further questions or concerns about DigiCert’s inclusion request; however, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of DigiCert must promptly respond directly in the discussion thread to all questions that are posted.
This email begins the 3-week comment period, which I’m scheduling to close on or about March 31, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Sincerely yours,
Ben Wilson
Mozilla Root Program Manager
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYXwMGTf4kxr7KhWr5fWd-aiJss4S0rjOz6F4-3wfFGEA%40mail.gmail.com.
Dear Ryan,
Thank you for pointing out your observation, and we have identified the issue to be related to how CCADB is chaining for cross signed roots. All intermediates and roots that are publicly trusted are included in our last WebTrust audit and have the proper CP/CPS pointers in CCADB.
The Root certificates that these hierarchies were cross signed under were our legacy Symantec ones that have been distrusted and an expired root. Unfortunately, CCADB was taking the path to those roots rather than to the trusted root which is correct.
We were following the Mozilla recommended process of having all intermediate and ICAs same as parent for audit and CPS. As this Root was one of the ones distrusted in 2021, it did not get the policy updates in our annual audit submission.
We have discussed the issue with Ben and have used a "re-parenting" process that fixed this chaining issue.
Thank you,
Brenda Bernal on behalf of DigiCert
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHG9YxHBGf9ERxvf%3D3z3ZtfQi8%3DB2JgdAnZZwhmCsZ%3D%3DVg%40mail.gmail.com.
--
Ryan,
We are actively working on getting our new roots trusted. In parallel, we plan to create new ICAs from the G5 Roots this year – that process has already started. By the end of 2022, DigiCert plans to have G5 issued ICA replacements available to our customers.
We have not started building the cross-signs yet from existing roots but we are working on plans for that in parallel with our root inclusion efforts here. We hope to limit the number of cross-signed certificates needed to support the transition effort but realize that we may have to cut cross-certs from many (if not all) of the old roots to the new roots.
Our cross-signs will correspond to our plan to ensure ubiquity and root segmentation by purpose. For example, we will likely cross-sign using the Assured ID G2 root for S/MIME.
Thanks, Brenda
Dear Matthias!
I believe it’s industry best practice for CA operators to operate ‘white labeled’ CAs on behalf of their customers. The operator of the CA is being identified in the Certificate Policy field and the owner of the CA is stated in the Subject field. Where do you see a problem with this?
With best regards,
Rufus Buschart
IT IPS SIP ET
Freyeslebenstr. 1
91058 Erlangen, Germany
Mobile: +49 (1522) 2894134
mailto:rufus.b...@siemens.com
Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.
Siemens Corporation: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese;
Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
On March 9, 2022, we began a three-week public discussion on DigiCert's request to include four new root certificates.[1] (Step 4 of the Mozilla Root Store CA Application Process[2]).
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
One commenter noted that DigiCert had failed to maintain accurate records in the CCADB, based on information provided by https://crt.sh/mozilla-disclosures. DigiCert quickly updated those records so that they were accurate. Matthias van de Meent commented that DigiCert’s CP and CPS did not clearly identify which roots and intermediate CAs were governed by those policy documents. DigiCert responded that the information was provided in the CCADB. However, he was still concerned about the ability to locate that information outside of the CCADB.
Matthias also asked, “Should a CA certificate be allowed to contain the subject of another company's name while this subordinate CA is (and will be) under full control of the CA, considering that leaf certificates signed with such CA will provide the (false) notion that the other company signed those leaf certificates?” The ensuing questions and comments asked whether DigiCert and other CAs should be allowed to “white-label” subordinate CA certificates for customer organizations. (A white-labeled CA certificate has the name of a customer organization in the subject “O” field as the “nominal CA” while the root CA operator holds the keys and operates the CA that issues certificates to end entities.) Section 1.6 of the Baseline Requirements defines “Certification Authority” as “An organization that is responsible for the creation, issuance, revocation, and management of Certificates.” It was argued that the practice of white-labeling was misleading, and that the customer organization should not be listed in the subject “O” field of the CA certificate, but that it should name the actual organization performing CA tasks and being audited.
I do not believe that a resolution of this question is necessary for us to conclude discussion on DigiCert’s inclusion request. However, I am not trying to foreclose further discussion, which can continue in a separate thread if anyone desires.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion on the inclusion request (Application Process, Step 9) and that it is Mozilla’s intent to approve DigiCert’s four root CA certificates (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/z3-sYPyykqc/m/RTnXIubVAgAJ
[2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview