Public Discussion of Asseco's Root Inclusion Request

Skip to first unread message

Ben Wilson

Mar 23, 2021, 12:35:48 AM3/23/21
to mozilla-dev-security-policy
Dear All,

This is to announce the beginning of the public discussion phase of the
Mozilla root CA inclusion process for the *Certum Trusted Root CA* and
the *Certum
EC-384 CA*. See, (Steps 4
through 9).

These two (2) new root CA certificates were created in 2018 and are valid
until 2043. They are proposed for inclusion with the email trust bit, the
websites bit, and EV enabled.

The root CAs are run by an existing CA operator in the Mozilla Root Program
- Asseco Data Services (“Asseco”), part of the Asseco Group.

Asseco's CA inclusion application has been tracked in the CCADB and in

Mozilla is considering approving Asseco’s request. This email begins the
3-week comment period, after which, if no concerns are raised, we will
close the discussion and the request may proceed to the approval phase
(Step 10).

*Root Certificate Information:*

*Certum Trusted Root CA * –

Download -

*Certum EC-384 CA * –

Download -


Current CP is Version 4.5, dated 19-Feb-2020.

Current CPS is Version 6.9, dated 21-December-2020.

My review comments to CPS version 6.9 can be found here:

Document repository location(s):

*Asseco's BR Self-Assessment* (PDF) is located here:


Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from
Ernst & Young sp. z o.o. (E&Y). These were issued on May 18, 2020. Asseco’s
most recently ended audit period ended on February 10, 2021, and Asseco
expects to receive audit letters for that audit period sometime in April

*Incidents: *

For your review, past incidents filed between 2018-2020, now closed,
involving Asseco include the following:

1433118 <>
with compromised private key not revoked

1435770 <>
Issuance - Debian Weak Keys

1451228 <> EV
certificate mis-issue

1495518 <>
key usage for EC public key (Key Encipherment)

1511459 <>

1518560 <> Use
of forbidden subjectPublicKeyInfo algorithm

1524195 <>

1550575 <>
not from subjectAltName entries

1566586 <>
Audit Statements 2019

1567062 <>
disclosure of externally-operated intermediate

1598277 <> CA
certificates not listed in audit report

1600158 <>
to revoke intermediate certificates within the BR time period

1600301 <> EV
Certificates issued with wrong Business Category

1611458 <>
value in SAN dNSName

1639502 <>
OCSP response encoding

1667684 <>
to provide a preliminary report within 24 hours.

1667986 <>
stateOrProvinceName field

1668523 <>
to revoke within 5 days

*Test Results**:*

These CAs, and their associated test certificates, were checked for
revocation processing, misissuances, and EV compatibility, and they passed
those tests.

Thus, this email begins a three-week public discussion period, which I’m
scheduling to close on or about Wednesday, 14-April-2021.

A representative of Asseco must promptly respond directly in the discussion
thread to all questions that are posted.

Sincerely yours,

Ben Wilson

Mozilla Root Program
Reply all
Reply to author
0 new messages