This is to announce and begin public discussion of GoDaddy’s intent to use its publicly trusted Starfield Root Certificate Authority - G2 ( https://crt.sh/?caid=796) to create two new external subordinate CA certificates to be operated and maintained by Certainly, LLC. These will be cross-certificates sharing their respective key pairs with subordinate CA certificates signed by two Certainly Root CAs that are pending inclusion (https://bugzilla.mozilla.org/show_bug.cgi?id=1727941).
In accordance with Mozilla Root Store Policy, Section 8 - CA Operational Changes <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#8-ca-operational-changes> for new program participants and at the instruction of Process for Review and Approval of Externally Operated Subordinate CAs <https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained#Process_for_Review_and_Approval_of_Externally_Operated_Subordinate_CAs_that_are_Not_Technically_Constrained> we have created Bugzilla Bug 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> and are initiating this formal discussion period. Certainly is a wholly owned subsidiary of Fastly, Inc. <https://www.fastly.com/>, a cloud service provider headquartered in the USA. Certainly plans to issue certificates to existing Fastly customers. The two Certainly subordinate CAs will issue publicly-trusted DV TLS server certificates. More details may be found in Certainly’s root inclusion case in CCADB <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>. Certainly has performed a CA Compliance Self-Assessment <https://bugzilla.mozilla.org/attachment.cgi?id=9239293> and has committed to adhere to all Mozilla requirements, Baseline Requirements of the CA/Browser Forum, and the GoDaddy (Starfield Technologies) CP/CPS. All the operational services related to Certainly’s Subscribers will be performed by Certainly, including processing of certificate applications, certificate issuance, certificate publishing, certificate status services, and certificate management. Certainly has implemented the open-source Boulder CA <https://github.com/letsencrypt/boulder> and interacts with Applicants and Subscribers via an ACME <https://datatracker.ietf.org/doc/html/rfc8555> API endpoint. Certainly has applied for inclusion <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941> as a root CA to Mozilla and a number of other root store programs, requesting inclusion of two root certificates. Both will be used exclusively to issue DV TLS certificates, with the distinction that one root will anchor an RSA hierarchy and the other will anchor an ECDSA hierarchy. These roots, as well as the two corresponding subordinate CAs that are constrained to TLS usages, have been disclosed in CCADB. Certainly has received the following unqualified audit reports (see Bug 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> for full reports) from the WebTrust Practitioner, Schellman, LLC: - WebTrust for CAs point-in-time dated June 30, 2021 - WebTrust SSL Baseline with NCSSRs point-in-time dated June 30, 2021 - WebTrust for CAs Key Lifecycle Management report (covering the period between key generation and type-1 audits) Certainly will undergo WebTrust for CAs and WebTrust SSL Baseline with NCSSRs period-of-time audits no later than June 30, 2022, covering a period beginning July 1, 2021. Certainly has further committed to ongoing WebTrust audits for the 10-year lifetime of the cross-signed certificates. As operator of a Mozilla-trusted root CA (and a trusted root in other browser root store programs), we recognize that through this cross-sign event, we are ultimately accountable for any actions taken by the Certainly intermediates which will inherit our trust and have worked closely with Certainly to perform due diligence activities including the review of the Certainly CP/CPS <https://www.certainly.com/repository/CertainlyCP-CPS.pdf>, Subscriber Agreement <https://www.certainly.com/repository/CertainlySubscriberAgreement.pdf>, and Relying Party Agreement <https://www.certainly.com/repository/CertainlyRelyingPartyAgreement.pdf> against CA/B forum requirements, GoDaddy Policies, and Mozilla policies. We have also reviewed Certainly’s CA Compliance Self-Assessment and operational practices, interviewed Certainly personnel, and reviewed the external audit opinions to verify appropriate scope of coverage and conformance with requirements as expected. Currently and following the proposed cross-sign event, we will continue working closely with Certainly to oversee ongoing compliance efforts. Of note, Certainly has filed two Mozilla incident reports to date (listed below) which we have followed and reviewed with Certainly. It is our expectation that the second bug be resolved prior to any cross-sign event. - Root CRL validity period exceeds maximum by one second <https://bugzilla.mozilla.org/show_bug.cgi?id=1732745> (27-September 2021) - TLS Using ALPN TLS Version and OID <https://bugzilla.mozilla.org/show_bug.cgi?id=1752452> (27-January 2022) This email begins a 3-week comment period, after which Mozilla is expected to consider approval of GoDaddy’s request. Best, Brittany Randall -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c0fee828-7976-4a94-b670-623611efd653n%40mozilla.org.
