Last week I privately contacted DigiCert about the lack of clarity about which CP/CPS is applicable to which root / intermediate CA; to which I've not yet received any meaningful reply. Right now, the repository that DigiCert's leaf certificates link to in their CPS field does not have a clear mapping of root- or subordinate CA to CPS; nor do the CP/CPSs in that repository themselves contain this information.
MRSP 3.3(6) requires that CAs must provide a way to clearly determine which CP and CPS applies to each of its root and intermediate certificates. Could DigiCert comment on when they expect this issue to be resolved? Additionally, while not important for this inclusion request, it would be appreciated if DigiCert could provide their insights on the questions I raised in [0] on the subject of their practices; specifically the second question (reworded for brevity): Should a CA certificate be allowed to contain the subject of another company's name while this subordinate CA is (and will be) under full control of the CA, considering that leaf certificates signed with such CA will provide the (false) notion that the other company signed those leaf certificates? Kind regards, Matthias van de Meent [0] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/JLxGhM1pJ9w/m/21jQN3tSAwAJ On Wed, Mar 9, 2022 at 11:51 PM Ben Wilson <[email protected]> wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps > 4 through 9) for DigiCert’s inclusion request (Bug # 1706228 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1706228>, CCADB Case # 743 > <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000743>) > for the following root CA certificates: > > *DigiCert TLS RSA4096 Root G5 (websites trust bit, EV)* > > Download – https://cacerts.digicert.com/DigiCertRSA4096RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=371A00DC0533B3721A7EEB40E8419E70799D2B0A0F2C1D80693165F7CEC4AD75 > > *DigiCert TLS ECC P384 Root G5 (websites trust bit, EV)* > > Download – https://cacerts.digicert.com/DigiCertECCP384RootG5.crt.pem > > crt.sh – > https://crt.sh/?SHA256=018E13F0772532CF809BD1B17281867283FC48C6E13BE9C69812854A490C1B05 > > *DigiCert SMIME RSA4096 Root G5 (email trust bit)* > > Download – https://cacerts.digicert.com/DigiCertSMIMERSA4096RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=90370D3EFA88BF58C30105BA25104A358460A7FA52DFC2011DF233A0F417912A > > *DigiCert SMIME ECC P384 Root G5 (email trust bit)* > > Download – https://cacerts.digicert.com/DigiCertSMIMEECCP384RootG5.crt.pem > > crt.sh - > https://crt.sh/?SHA256=E8E8176536A60CC2C4E10187C3BEFCA20EF263497018F566D5BEA0F94D0C111B > > Mozilla is considering approving DigiCert’s request to add these four (4) > roots as trust anchors with the trust bits and EV-enabled as indicated > above. > > *Repository:* The DigiCert document repository is located here: > https://www.digicert.com/legal-repository > > *Relevant Policy and Practices Documentation: * > > Certificate Policy, v. 5.9, dated January 21, 2022 > > > https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cp-v5-9.pdf > > Certification Practices Statement, v. 5.9, dated January 21, 2022 > > > https://www.digicert.com/content/dam/digicert/pdfs/legal/digicert-cps-v5-9.pdf > > *Self-Assessments and Mozilla CPS Reviews* are located as attachments in Bug > # 1706228 <https://bugzilla.mozilla.org/show_bug.cgi?id=1706228>: > > Mozilla Review of DigiCert CP/CPS and Compliance Self-Assessment > <https://bugzilla.mozilla.org/attachment.cgi?id=9252944> (xls) > > DigiCert Replies to CP/CPS Review and Compliance Self-Assessment > <https://bugzilla.mozilla.org/attachment.cgi?id=9261770> (xls) > > > > *Audits:* Annual audits have been performed by BDO. The most recent > audits were completed for the period ending September 30, 2021. See > https://www.digicert.com/webtrust-audits. > > *Incidents* > > DigiCert has no open incidents in Bugzilla. In the past year, there have > been five incidents involving DigiCert, which are now closed satisfactorily: > > 1727963 <https://bugzilla.mozilla.org/show_bug.cgi?id=1727963> > > DigiCert: Truncation of Registration Number > <https://bugzilla.mozilla.org/show_bug.cgi?id=1727963> > > 1744795 <https://bugzilla.mozilla.org/show_bug.cgi?id=1744795> > > DigiCert: Issuance of certs with weak keys (ROCA) > <https://bugzilla.mozilla.org/show_bug.cgi?id=1744795> > > 1710444 <https://bugzilla.mozilla.org/show_bug.cgi?id=1710444> > > DigiCert: Invalid stateOrProvinceName > <https://bugzilla.mozilla.org/show_bug.cgi?id=1710444> > > 1710856 <https://bugzilla.mozilla.org/show_bug.cgi?id=1710856> > > DigiCert: Invalid localityName > <https://bugzilla.mozilla.org/show_bug.cgi?id=1710856> > > 1714439 <https://bugzilla.mozilla.org/show_bug.cgi?id=1714439> > > DigiCert: Incorrect RegNumber-Org Type combination > <https://bugzilla.mozilla.org/show_bug.cgi?id=1714439> > > > > I have no further questions or concerns about DigiCert’s inclusion > request; however, I urge anyone with concerns or questions to raise them on > this list by replying directly in this discussion thread. Likewise, a > representative of DigiCert must promptly respond directly in the discussion > thread to all questions that are posted. > > This email begins the 3-week comment period, which I’m scheduling to close > on or about March 31, 2022, after which, if no concerns are raised, we will > close the discussion and the request may proceed to the approval phase > (Step 10). > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program Manager > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYXwMGTf4kxr7KhWr5fWd-aiJss4S0rjOz6F4-3wfFGEA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYXwMGTf4kxr7KhWr5fWd-aiJss4S0rjOz6F4-3wfFGEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAT_OQu1vm_P-dAYxXWeCsgM9btjfi-aYpOq8M7FS3SiAD3s8g%40mail.gmail.com.
