This email announces an intent to include the following three (3) root certificates as trust anchors with the websites and email trust bits enabled, and to enable each root for EV as documented in the following Bugzilla case: https://bugzilla.mozilla.org/show_bug.cgi?id=1528369
This email commences the three-week public discussion period set forth in https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. The three root CA certificates are as follows: *Trustwave Global Certification Authority* – valid from 23-Aug-2017 SHA2: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 *Trustwave Global ECC P256 Certification Authority* – valid from 23-Aug-2017 SHA2: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 *Trustwave Global ECC P384 Certification Authority* – SHA2: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 *A Summary of Information Gathered and Verified appears here in the CCADB:* https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000392 *Root Certificate Download URLs are as follows:* https://certs.securetrust.com/CA/TWGCA.txt https://certs.securetrust.com/CA/TWGP256CA.txt https://certs.securetrust.com/CA/TWGP384CA.txt *CP/CPS:* We have reviewed the CPS and provided comments, which were incorporated into SecureTrust's most recent CPS: https://certs.securetrust.com/CA/SecureTrustCPS_62.pdf (Repository location: https://ssl.trustwave.com/CA / https://certs.securetrust.com/CA/) *SecureTrust’s BR Self Assessment* is located here: https://bugzilla.mozilla.org/attachment.cgi?id=9060769 *Audits:* Annual audits are performed by BDO International, Ltd. according to the WebTrust Standard, BR and EV audit criteria. I have reviewed the key generation audit report from Grant Thornton and subsequent 2018 and 2019 audit reports for these three roots and determined that there is continuity (all three are included in WebTrust Standard, BR and EV audits continuously since CA generation). Minor issues were found by BDO International, Ltd., as part of the 2019 Baseline Requirements audit.[1] These issues were addressed in [2], which was closed by Mozilla on 14-Mar-2020. [1] https://certs.securetrust.com/CA/2%20-%20SecureTrust%202019%20SSL%20BL%20Report.pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1606031 (BR Audit 2019 - matters to be resolved) I ran mis-issuance reports for the three roots with linting to look for issuance errors and didn’t find any from the three above-mentioned roots. Other closed CA Incidents for SecureTrust include the following: [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1546776 (Unvalidated domain in certificate ) [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1551374 ("Some-State" in stateOrProvinceName) [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1600844 (Unconstrained ICA not included in WTBR audit report) [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1646711 (Metadata-only field values in 2 certificates) This email begins the three-week public discussion period, which will close on 24-August-2020. Sincerely yours, Ben Wilson Mozilla Root Program _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy