All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process ( https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for an inclusion request filed by Certainly, LLC (Bug # 1727941 <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941>, CCADB Case # 829 <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>) for the following two (2) root CA certificates:
*Certainly Root R1 (websites trust bit only)* https://crt.sh/?sha256=77B82CD8644C4305F7ACC5CB156B45675004033D51C60C6202A8E0C33467D3A0 http://root-r1.certainly.com *Certainly Root E1 **(websites trust bit only)* https://crt.sh/?sha256=B4585F22E4AC756A4E8612A1361C5D9D031A93FD84FEBB778FA3068B0FC42DC2 http://root-e1.certainly.com/ Certainly is currently the subject of an ongoing public discussion in relation to GoDaddy’s intent to cross-sign two issuing CAs to be operated by Certainly. In that proceeding, Certainly would be an external, third-party operator of non-technically-constrained issuing CAs. In this proceeding, Certainly’s two roots would be added to NSS and Firefox as trust anchors with the websites trust bit and Certainly would be a root CA operator. The information collected and reviewed by GoDaddy, me, and others during the cross-signing application proceeding (Bug #1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>) is useful in considering this root inclusion request, as are comments and information presented in that public discussion ( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/bEnn98Dajzc/m/32NwZHWSAAAJ ). *Repository:* The Certainly document repository is located here: https://www.certainly.com/repository/ *Relevant Policy and Practices Documentation: * Certificate Policy / Certification Practice Statement, v. 1.3, dated March 1, 2022 https://www.certainly.com/repository/CertainlyCP-CPS.pdf *Self-Assessments and CPS Reviews* are located as attachments in the following two (2) bugs: Bug # 1727941 <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941> and Bug # 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>. Specifically, https://bugzilla.mozilla.org/attachment.cgi?id=9270636 (review performed by me on 4-Mar-2022) and https://bugzilla.mozilla.org/attachment.cgi?id=9267213 (Certainly’s updated Self-Assessment, dated 9-Mar-2022). *Value-vs-Risk Justification from Certainly* - https://bugzilla.mozilla.org/attachment.cgi?id=9270080 *Audits:* Point-in-time audits (dated June 30, 2021) were performed by Schellman & Company in accordance with WebTrust Principles and Criteria for Certification Authorities, v. 2.2.1, and WebTrust SSL Baseline with Network Security, v. 2.5. See https://www.certainly.com/repository/audit/index.html *Incidents* Certainly has no open incidents in Bugzilla. In the past 12 months, there were two (2) incidents involving Certainly, which are now closed as fixed: 1732745 <https://bugzilla.mozilla.org/show_bug.cgi?id=1732745> Root CRL validity period exceeded maximum stated period by one second 1752452 <https://bugzilla.mozilla.org/show_bug.cgi?id=1752452> TLS Using ALPN TLS Version and OID I have no further questions or concerns about Certainly’s inclusion request. However, I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Certainly must promptly respond directly in the discussion thread to all questions that are posted. This email begins the 3-week comment period, which I’m scheduling to close on or about April 25, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). Sincerely yours, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ2ak7yr-YQEP6zh7K9Wa%2BMR1MDYJAdDzH-EFd3ncepaQ%40mail.gmail.com.
