All, This email commences a six-week public discussion of SSL.com’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store Member’s program. This discussion period is scheduled to close on May 2, 2023.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of the applicant must promptly respond directly in the discussion thread to all questions that are posted. CCADB Case Numbers: 00001049 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001049> and 00001132 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001132> Organization Background Information (listed in CCADB): - CA Owner Name: SSL.com - Website: https://www.ssl.com/ - Address: 3100 Richmond Ave., Suite 405, Houston, Texas, 77098, United States of America - Problem Reporting Mechanisms: [email protected], https://www.ssl.com/revoke/ - Organization Type: Public Corporation - Repository URL: https://www.ssl.com/repository/ Certificates Requesting Inclusion: 1. SSL.com TLS RSA Root CA 2022 (included in case 00001049 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001049> ): - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=8FAF7D2E2CB4709BB8E0B33666BF75A5DD45B5DE480F8EA8D4BFE6BEBC17F2ED> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://test-root-2022-rsa.ssl.com/ - Revoked: https://revoked-root-2022-rsa.ssl.com/ - Expired: https://expired-root-2022-rsa.ssl.com/ 1. SSL.com TLS ECC Root CA 2022 (included in case 00001049 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001049> ): - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=C32FFD9F46F936D16C3673990959434B9AD60AAFBB9E7CF33654F144CC1BA143> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://test-root-2022-ecc.ssl.com - Revoked: https://revoked-root-2022-ecc.ssl.com - Expired: https://expired-root-2022-ecc.ssl.com 2. SSL.com Client ECC Root CA 2022 (included in case 00001132 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001132> ): - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=AD7DD58D03AEDB22A30B5084394920CE12230C2D8017AD9B81AB04079BDD026B> ) - Use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: N/A 3. SSL.com Client RSA Root CA 2022 (included in case 00001132 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001132> ): - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=1D4CA4A2AB21D0093659804FC0EB2175A617279B56A2475245C9517AFEB59153> ) - Use cases served/EKUs: - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: N/A Existing Publicly Trusted Root CAs from SSL.com: 1. SSL.com EV Root Certification Authority ECC: - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Code Signing 1.3.6.1.5.5.7.3.3 - Time Stamping 1.3.6.1.5.5.7.3.8 - Certificate corpus: here <https://search.censys.io/certificates-legacy?q=22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8> (login required) - Included in: Apple, Chrome, Microsoft, and Mozilla 1. SSL.com EV Root Certification Authority RSA R2: - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Code Signing 1.3.6.1.5.5.7.3.3 - Time Stamping 1.3.6.1.5.5.7.3.8 - Certificate corpus: here <https://search.censys.io/certificates-legacy?q=2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C> (login required) - Included in: Apple, Chrome, Microsoft, and Mozilla 2. SSL.com Root Certification Authority ECC: - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Code Signing 1.3.6.1.5.5.7.3.3 - Document Signing AATL 1.2.840.113583.1.1.5 - Document Signing MS 1.3.6.1.4.1.311.10.3.12 - Certificate corpus: here <https://search.censys.io/certificates-legacy?q=%203417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65> (login required) - Included in: Apple, Chrome, Microsoft, and Mozilla 3. SSL.com Root Certification Authority RSA: - Certificate download links: (CA Repository <https://www.ssl.com/repository/SSLcom-RootCAs.zip>, crt.sh <https://crt.sh/?q=85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69> ) - Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 - Client Authentication 1.3.6.1.5.5.7.3.2 - Code Signing 1.3.6.1.5.5.7.3.3 - Document Signing AATL 1.2.840.113583.1.1.5 - Document Signing MS 1.3.6.1.4.1.311.10.3.12 - Time Stamping 1.3.6.1.5.5.7.3.8 - Certificate corpus: here <https://search.censys.io/certificates-legacy?q=85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69> (login required) - Included in: Apple, Chrome, Microsoft, and Mozilla Relevant Policy and Practices Documentation: The following apply to all four (4) applicant root CAs: - https://legal.ssl.com/documents/SSLcom-CP-CPS-v1.16.pdf Most Recent Self-Assessment: The following apply to all four (4) applicant root CAs: - https://bugzilla.mozilla.org/attachment.cgi?id=9302401 (completed 11/7/2022) Audit Statements: - Auditor: BDO International Limited <https://www.bdo.com/> (enrolled <https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international> through WebTrust) - Audit Criteria: WebTrust - Date of Audit Issuance: 9/27/2022 - For Period Ending: 6/30/2022 - Audit Statement(s): - Standard Audit <https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=f8559916-8dae-43bb-a3f3-2c8b27315707> (covers all four (4) applicant root CAs) - BR (SSL) Audit <https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=46752846-7d64-424d-bdf4-9aba8564e584> (covers all four (4) applicant root CAs) - EV SSL Audit <https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=adbc8c7c-930a-4dee-bcbf-b927ae2c5b3a> (only covers “SSL.com TLS RSA Root CA 2022” and “SSL.com TLS ECC Root CA 2022”) Incident Summary (Bugzilla incidents from previous 24 months): - 1790693 <https://bugzilla.mozilla.org/show_bug.cgi?id=1790693>: SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. - 1800753 <https://bugzilla.mozilla.org/show_bug.cgi?id=1800753>: SSL.com: Delayed revocation of certificate with weak key - 1719916 <https://bugzilla.mozilla.org/show_bug.cgi?id=1719916>: SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value - 1722089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1722089>: SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information - 1724520 <https://bugzilla.mozilla.org/show_bug.cgi?id=1724520>: SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels - 1750631 <https://bugzilla.mozilla.org/show_bug.cgi?id=1750631>: SSL.com: Issuance of TLS certificates with validation methods prohibited by SC-45 - 1752636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1752636>: SSL.com: Delayed revocation of 53 certificates affected by bug #1750631 Thank you, Chris, on behalf of the CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCEoQv37P3RA1Kd1HngsLY%3DFwcgFwrK10YvUTLjUK_yDQ%40mail.gmail.com.
