Hi everyone, Quick question! Will Certainly be offering a public ACME CA for use by everyone (à la Let's Encrypt), or will this be for Fastly customer use only?
Cheers, Scott. On Thursday, 17 February 2022 at 06:10:31 UTC [email protected] wrote: > This is to announce and begin public discussion of GoDaddy’s intent to use > its publicly trusted Starfield Root Certificate Authority - G2 ( > https://crt.sh/?caid=796) to create two new external subordinate CA > certificates to be operated and maintained by Certainly, LLC. These will > be cross-certificates sharing their respective key pairs with subordinate > CA certificates signed by two Certainly Root CAs that are pending inclusion > (https://bugzilla.mozilla.org/show_bug.cgi?id=1727941). > > In accordance with Mozilla Root Store Policy, Section 8 - CA Operational > Changes > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#8-ca-operational-changes> > > for new program participants and at the instruction of Process for Review > and Approval of Externally Operated Subordinate CAs > <https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained#Process_for_Review_and_Approval_of_Externally_Operated_Subordinate_CAs_that_are_Not_Technically_Constrained> > > we have created Bugzilla Bug 1755851 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> and are initiating > this formal discussion period. > > Certainly is a wholly owned subsidiary of Fastly, Inc. > <https://www.fastly.com/>, a cloud service provider headquartered in the > USA. Certainly plans to issue certificates to existing Fastly customers. > The two Certainly subordinate CAs will issue publicly-trusted DV TLS server > certificates. More details may be found in Certainly’s root inclusion > case in CCADB > <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>. > > Certainly has performed a CA Compliance Self-Assessment > <https://bugzilla.mozilla.org/attachment.cgi?id=9239293> and has > committed to adhere to all Mozilla requirements, Baseline Requirements of > the CA/Browser Forum, and the GoDaddy (Starfield Technologies) CP/CPS. > > All the operational services related to Certainly’s Subscribers will be > performed by Certainly, including processing of certificate applications, > certificate issuance, certificate publishing, certificate status services, > and certificate management. Certainly has implemented the open-source > Boulder CA <https://github.com/letsencrypt/boulder> and interacts with > Applicants and Subscribers via an ACME > <https://datatracker.ietf.org/doc/html/rfc8555> API endpoint. Certainly > has applied for inclusion > <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941> as a root CA to > Mozilla and a number of other root store programs, requesting inclusion of > two root certificates. Both will be used exclusively to issue DV TLS > certificates, with the distinction that one root will anchor an RSA > hierarchy and the other will anchor an ECDSA hierarchy. These roots, as > well as the two corresponding subordinate CAs that are constrained to TLS > usages, have been disclosed in CCADB. > > Certainly has received the following unqualified audit reports (see Bug > 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> for full > reports) from the WebTrust Practitioner, Schellman, LLC: > > - WebTrust for CAs point-in-time dated June 30, 2021 > - WebTrust SSL Baseline with NCSSRs point-in-time dated June 30, 2021 > - WebTrust for CAs Key Lifecycle Management report (covering the > period between key generation and type-1 audits) > > Certainly will undergo WebTrust for CAs and WebTrust SSL Baseline with > NCSSRs period-of-time audits no later than June 30, 2022, covering a period > beginning July 1, 2021. Certainly has further committed to ongoing WebTrust > audits for the 10-year lifetime of the cross-signed certificates. > > As operator of a Mozilla-trusted root CA (and a trusted root in other > browser root store programs), we recognize that through this cross-sign > event, we are ultimately accountable for any actions taken by the Certainly > intermediates which will inherit our trust and have worked closely with > Certainly to perform due diligence activities including the review of the > Certainly CP/CPS > <https://www.certainly.com/repository/CertainlyCP-CPS.pdf>, Subscriber > Agreement > <https://www.certainly.com/repository/CertainlySubscriberAgreement.pdf>, > and Relying Party Agreement > <https://www.certainly.com/repository/CertainlyRelyingPartyAgreement.pdf> > against CA/B forum requirements, GoDaddy Policies, and Mozilla policies. We > have also reviewed Certainly’s CA Compliance Self-Assessment and > operational practices, interviewed Certainly personnel, and reviewed the > external audit opinions to verify appropriate scope of coverage and > conformance with requirements as expected. Currently and following the > proposed cross-sign event, we will continue working closely with Certainly > to oversee ongoing compliance efforts. > > Of note, Certainly has filed two Mozilla incident reports to date (listed > below) which we have followed and reviewed with Certainly. It is our > expectation that the second bug be resolved prior to any cross-sign event. > > - Root CRL validity period exceeds maximum by one second > <https://bugzilla.mozilla.org/show_bug.cgi?id=1732745> (27-September > 2021) > - TLS Using ALPN TLS Version and OID > <https://bugzilla.mozilla.org/show_bug.cgi?id=1752452> (27-January > 2022) > > This email begins a 3-week comment period, after which Mozilla is expected > to consider approval of GoDaddy’s request. > > Best, > > Brittany Randall > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/94f405b3-b189-4e3e-a1f9-67db6233d28an%40mozilla.org.
