All, On April 3, 2022, we began a three-week public discussion[1] on the request from Certainly for inclusion of its two root certificates, the Certainly Root R1 and the Certainly Root E1. (Step 4 of the Mozilla Root Store CA Application Process[2]).
*Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:* We did not receive any objections or other questions or comments in opposition to Certainly’s request. I do not believe that there are any action items for Certainly to complete. *Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: * This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve Certainly’s request (Step 10). This begins a 7-day “last call” period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/58CH8CMwBgAJ [2] https://wiki.mozilla.org/CA/Application_Process#Process_Overview On Sun, Apr 3, 2022 at 11:16 PM Ben Wilson <[email protected]> wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps > 4 through 9) for an inclusion request filed by Certainly, LLC (Bug # > 1727941 <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941>, CCADB > Case # 829 > <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000829>) > for the following two (2) root CA certificates: > > *Certainly Root R1 (websites trust bit only)* > > > https://crt.sh/?sha256=77B82CD8644C4305F7ACC5CB156B45675004033D51C60C6202A8E0C33467D3A0 > > http://root-r1.certainly.com > > *Certainly Root E1 **(websites trust bit only)* > > > https://crt.sh/?sha256=B4585F22E4AC756A4E8612A1361C5D9D031A93FD84FEBB778FA3068B0FC42DC2 > > http://root-e1.certainly.com/ > > Certainly is currently the subject of an ongoing public discussion in > relation to GoDaddy’s intent to cross-sign two issuing CAs to be operated > by Certainly. In that proceeding, Certainly would be an external, > third-party operator of non-technically-constrained issuing CAs. In this > proceeding, Certainly’s two roots would be added to NSS and Firefox as > trust anchors with the websites trust bit and Certainly would be a root CA > operator. The information collected and reviewed by GoDaddy, me, and others > during the cross-signing application proceeding (Bug #1755851 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>) is useful in > considering this root inclusion request, as are comments and information > presented in that public discussion ( > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/bEnn98Dajzc/m/32NwZHWSAAAJ > ). > > *Repository:* The Certainly document repository is located here: > > https://www.certainly.com/repository/ > > *Relevant Policy and Practices Documentation: * > > Certificate Policy / Certification Practice Statement, v. 1.3, dated March > 1, 2022 > > https://www.certainly.com/repository/CertainlyCP-CPS.pdf > > *Self-Assessments and CPS Reviews* are located as attachments in the > following two (2) bugs: Bug # 1727941 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1727941> and Bug # 1755851 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>. Specifically, > https://bugzilla.mozilla.org/attachment.cgi?id=9270636 (review performed > by me on 4-Mar-2022) and > https://bugzilla.mozilla.org/attachment.cgi?id=9267213 (Certainly’s > updated Self-Assessment, dated 9-Mar-2022). > > *Value-vs-Risk Justification from Certainly* - > https://bugzilla.mozilla.org/attachment.cgi?id=9270080 > > *Audits:* Point-in-time audits (dated June 30, 2021) were performed by > Schellman & Company in accordance with WebTrust Principles and Criteria for > Certification Authorities, v. 2.2.1, and WebTrust SSL Baseline with Network > Security, v. 2.5. See > https://www.certainly.com/repository/audit/index.html > > *Incidents* > > Certainly has no open incidents in Bugzilla. > > In the past 12 months, there were two (2) incidents involving Certainly, > which are now closed as fixed: > > 1732745 <https://bugzilla.mozilla.org/show_bug.cgi?id=1732745> > Root CRL validity period exceeded maximum stated period by one second > > 1752452 <https://bugzilla.mozilla.org/show_bug.cgi?id=1752452> > TLS Using ALPN TLS Version and OID > > I have no further questions or concerns about Certainly’s inclusion > request. However, I urge anyone with concerns or questions to raise them on > this list by replying directly in this discussion thread. Likewise, a > representative of Certainly must promptly respond directly in the > discussion thread to all questions that are posted. > > This email begins the 3-week comment period, which I’m scheduling to close > on or about April 25, 2022, after which, if no concerns are raised, we will > close the discussion and the request may proceed to the approval phase > (Step 10). > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program Manager > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaj1acwMb3iubPTQr%2BDEDzJX0_Uv%2BQGvzHXSamKyxFqmg%40mail.gmail.com.
