Hi Scott, *Certainly touched on this point in our root inclusion CCADB case <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>, which states “Certainly will initially issue certificates to existing Fastly customers. Fastly.serves a broad range of organizations around the world, and also offers free services to open source projects. Certainly only issues DV TLS certificates.” We would like to broaden the reach of our services, but want to take it one step at a time.*
*- * *Wayne* On Mon, Feb 21, 2022 at 10:50 AM Scott Helme <[email protected]> wrote: > Hi everyone, > > Quick question! Will Certainly be offering a public ACME CA for use by > everyone (à la Let's Encrypt), or will this be for Fastly customer use only? > > Cheers, > > Scott. > > On Thursday, 17 February 2022 at 06:10:31 UTC [email protected] wrote: > >> This is to announce and begin public discussion of GoDaddy’s intent to >> use its publicly trusted Starfield Root Certificate Authority - G2 ( >> https://crt.sh/?caid=796) to create two new external subordinate CA >> certificates to be operated and maintained by Certainly, LLC. These will >> be cross-certificates sharing their respective key pairs with subordinate >> CA certificates signed by two Certainly Root CAs that are pending inclusion >> (https://bugzilla.mozilla.org/show_bug.cgi?id=1727941). >> >> In accordance with Mozilla Root Store Policy, Section 8 - CA Operational >> Changes >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#8-ca-operational-changes> >> for new program participants and at the instruction of Process for >> Review and Approval of Externally Operated Subordinate CAs >> <https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained#Process_for_Review_and_Approval_of_Externally_Operated_Subordinate_CAs_that_are_Not_Technically_Constrained> >> we have created Bugzilla Bug 1755851 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> and are >> initiating this formal discussion period. >> >> Certainly is a wholly owned subsidiary of Fastly, Inc. >> <https://www.fastly.com/>, a cloud service provider headquartered in the >> USA. Certainly plans to issue certificates to existing Fastly customers. >> The two Certainly subordinate CAs will issue publicly-trusted DV TLS server >> certificates. More details may be found in Certainly’s root inclusion >> case in CCADB >> <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>. >> Certainly has performed a CA Compliance Self-Assessment >> <https://bugzilla.mozilla.org/attachment.cgi?id=9239293> and has >> committed to adhere to all Mozilla requirements, Baseline Requirements of >> the CA/Browser Forum, and the GoDaddy (Starfield Technologies) CP/CPS. >> >> All the operational services related to Certainly’s Subscribers will be >> performed by Certainly, including processing of certificate applications, >> certificate issuance, certificate publishing, certificate status services, >> and certificate management. Certainly has implemented the open-source >> Boulder CA <https://github.com/letsencrypt/boulder> and interacts with >> Applicants and Subscribers via an ACME >> <https://datatracker.ietf.org/doc/html/rfc8555> API endpoint. Certainly >> has applied for inclusion >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941> as a root CA to >> Mozilla and a number of other root store programs, requesting inclusion of >> two root certificates. Both will be used exclusively to issue DV TLS >> certificates, with the distinction that one root will anchor an RSA >> hierarchy and the other will anchor an ECDSA hierarchy. These roots, as >> well as the two corresponding subordinate CAs that are constrained to TLS >> usages, have been disclosed in CCADB. >> >> Certainly has received the following unqualified audit reports (see Bug >> 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851> for full >> reports) from the WebTrust Practitioner, Schellman, LLC: >> >> - WebTrust for CAs point-in-time dated June 30, 2021 >> - WebTrust SSL Baseline with NCSSRs point-in-time dated June 30, 2021 >> - WebTrust for CAs Key Lifecycle Management report (covering the >> period between key generation and type-1 audits) >> >> Certainly will undergo WebTrust for CAs and WebTrust SSL Baseline with >> NCSSRs period-of-time audits no later than June 30, 2022, covering a period >> beginning July 1, 2021. Certainly has further committed to ongoing WebTrust >> audits for the 10-year lifetime of the cross-signed certificates. >> >> As operator of a Mozilla-trusted root CA (and a trusted root in other >> browser root store programs), we recognize that through this cross-sign >> event, we are ultimately accountable for any actions taken by the Certainly >> intermediates which will inherit our trust and have worked closely with >> Certainly to perform due diligence activities including the review of the >> Certainly CP/CPS >> <https://www.certainly.com/repository/CertainlyCP-CPS.pdf>, Subscriber >> Agreement >> <https://www.certainly.com/repository/CertainlySubscriberAgreement.pdf>, >> and Relying Party Agreement >> <https://www.certainly.com/repository/CertainlyRelyingPartyAgreement.pdf> >> against CA/B forum requirements, GoDaddy Policies, and Mozilla policies. We >> have also reviewed Certainly’s CA Compliance Self-Assessment and >> operational practices, interviewed Certainly personnel, and reviewed the >> external audit opinions to verify appropriate scope of coverage and >> conformance with requirements as expected. Currently and following the >> proposed cross-sign event, we will continue working closely with Certainly >> to oversee ongoing compliance efforts. >> >> Of note, Certainly has filed two Mozilla incident reports to date (listed >> below) which we have followed and reviewed with Certainly. It is our >> expectation that the second bug be resolved prior to any cross-sign event. >> >> - Root CRL validity period exceeds maximum by one second >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1732745> (27-September >> 2021) >> - TLS Using ALPN TLS Version and OID >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1752452> (27-January >> 2022) >> >> This email begins a 3-week comment period, after which Mozilla is >> expected to consider approval of GoDaddy’s request. >> >> Best, >> >> Brittany Randall >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/94f405b3-b189-4e3e-a1f9-67db6233d28an%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/94f405b3-b189-4e3e-a1f9-67db6233d28an%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8dJy7bO9wTsBG9J4k5Okr2FDXdvf03yCoFnwzsU08s9Q%40mail.gmail.com.
