Dear All,
This is to announce the beginning of the public discussion phase of the
Mozilla root CA inclusion process for the *Certum Trusted Root CA* and
the *Certum
EC-384 CA*. See
https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4
through 9).
These two (2) new root CA certificates were created in 2018 and are valid
until 2043. They are proposed for inclusion with the email trust bit, the
websites bit, and EV enabled.
The root CAs are run by an existing CA operator in the Mozilla Root Program
- Asseco Data Services (“Asseco”), part of the Asseco Group.
Asseco's CA inclusion application has been tracked in the CCADB and in
Bugzilla–
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000519
https://bugzilla.mozilla.org/show_bug.cgi?id=1598577
Mozilla is considering approving Asseco’s request. This email begins the
3-week comment period, after which, if no concerns are raised, we will
close the discussion and the request may proceed to the approval phase
(Step 10).
*Root Certificate Information:*
*Certum Trusted Root CA *
crt.sh –
https://crt.sh/?q=FE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD
https://crt.sh/?id=2224039330
Download -
http://repository.certum.pl/ctrca.pem
*Certum EC-384 CA *
crt.sh –
https://crt.sh/?q=6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6
https://crt.sh/?id=2224044393
Download -
https://repository.certum.pl/cec384ca.pem
*CP/CPS:*
Current CP is Version 4.5, dated 19-Feb-2020.
https://files.certum.eu/documents/repsitory/2-cert-policy/CCP-DK02-ZK01-CP-Cert-Serv-4.5.pdf
Current CPS is Version 6.9, dated 21-December-2020.
https://files.certum.eu/documents/repsitory/3-cert-pract-state/CCP-DK02-ZK02-CPS-Cert-6.9.pdf
My review comments to CPS version 6.9 can be found here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1598577#c14.
Document repository location(s):
https://www.certum.eu/en/repository/
https://www.certum.pl/pl/repozytorium/
*Asseco's BR Self-Assessment* (PDF) is located here:
https://bugzilla.mozilla.org/attachment.cgi?id=9111193
*Audits:*
Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from
Ernst & Young sp. z o.o. (E&Y). These were issued on May 18, 2020. Asseco’s
most recently ended audit period ended on February 10, 2021, and Asseco
expects to receive audit letters for that audit period sometime in April
2021.
*Incidents: *
For your review, past incidents filed between 2018-2020, now closed,
involving Asseco include the following:
1433118 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1433118>
Certificate
with compromised private key not revoked
1435770 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1435770>
Non-BR-Compliant
Issuance - Debian Weak Keys
1451228 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1451228> EV
certificate mis-issue
1495518 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1495518>
Unallowed
key usage for EC public key (Key Encipherment)
1511459 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1511459>
Corrupted
certificates
1518560 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1518560> Use
of forbidden subjectPublicKeyInfo algorithm
1524195 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1524195>
Invalid
dnsNames
1550575 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1550575>
commonName
not from subjectAltName entries
1566586 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1566586>
Overdue
Audit Statements 2019
1567062 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1567062>
Inconsistent
disclosure of externally-operated intermediate
1598277 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1598277> CA
certificates not listed in audit report
1600158 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1600158>
Failure
to revoke intermediate certificates within the BR time period
1600301 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1600301> EV
Certificates issued with wrong Business Category
1611458 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1611458>
Invalid
value in SAN dNSName
1639502 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1639502>
Incorrect
OCSP response encoding
1667684 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1667684>
Failure
to provide a preliminary report within 24 hours.
1667986 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1667986>
Invalid
stateOrProvinceName field
1668523 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1668523>
Failure
to revoke within 5 days
*Test Results**:*
These CAs, and their associated test certificates, were checked for
revocation processing, misissuances, and EV compatibility, and they passed
those tests.
Thus, this email begins a three-week public discussion period, which I’m
scheduling to close on or about Wednesday, 14-April-2021.
A representative of Asseco must promptly respond directly in the discussion
thread to all questions that are posted.
Sincerely yours,
Ben Wilson
Mozilla Root Program