All, This email commences a public discussion period that will run through Friday, January 10, 2025. This is regarding the issuance of S/MIME certificates by Cybertrust Japan (CTJ) under an externally-operated subordinate CA issued by SECOM (*see *Mozilla Root Store Policy, Section 8.4 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas>).
Both SECOM and CTJ are included as CA owners/operators in one or more root stores, but CTJ does not currently have any of its own root certificates enabled for S/MIME issuance. (In the new year, we will commence a 6-week discussion period for the CTJ *SecureSign Root CA16* <https://crt.sh/?sha256=4C1CCD24F17E950FC18536B33CAFE32293CFC33E8467B41E1C693055D7F513BF>*, *which CTJ has submitted for inclusion as a root certificate for S/MIME issuance.) The purpose of this public discussion is to promote openness and transparency. Each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly to this discussion thread. Representatives of SECOM or CTJ, as the case may be, will respond directly in this thread to all questions that are posted. *However, please note that due to internationally-recognized holidays, some responses may be delayed.* *Request Details:* *Bugzilla Case Number: *# 1933132 <https://bugzilla.mozilla.org/show_bug.cgi?id=1933132> - SECOM’s Request re: Cybertrust Japan SureMail CA G5 (Note that signing/issuance of the external Sub CA can occur before completion of public discussion and root store approval, as long as the external Sub CA does not issue end entity certificates.) *Organization Background:* - *Owner/Operator of External Sub-CA:* Cybertrust Japan Co., Ltd. - *Website:* https://www.cybertrust.co.jp/ - *Address:* ARK Hills Sengokuyama Mori Tower 35F, 1-9-10 Roppongi, Minato-ku, Tokyo, 106-0032 - *Problem Reporting Mechanisms:* [email protected] - *Organization Type:* Private Corporation - *Repository URL (Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)):* https://www.cybertrust.ne.jp/ssl/repository/ *Certificate Requested for Approval:* *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA):* - *Root CA:* SECOM’s Security Communication RootCA2 <https://crt.sh/?SHA256=513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6> - *Certificate profile:* https://bugzilla.mozilla.org/attachment.cgi?id=9439631 (.xlsx) - *Use cases served/EKUs:* Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 *Existing Publicly Trusted CAs from SECOM and CTJ:* SECOM and CTJ already have several root CAs included in root stores. The requested subordinate CA represent CTJ’s efforts to realize S/MIME issuance capabilities. SECOM confirms that it has reviewed and validated CTJ’s policy and audit documentation. *Relevant Policy and Practices Documentation:* - *CTJ S/MIME Certificate Policy **(CP)* https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf - *CTJ Certification Practice Statement (**CPS):* https://www.cybertrust.ne.jp/ssl/repository/CTJCPS_English.pdf (Version 1.10) *Most Recent Self-Assessments:* - *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)**:* Assessment of CTJ in Bugzilla Attachment #9439634 <https://bugzilla.mozilla.org/attachment.cgi?id=9439634> (.xlsx) (completed Sept. 24, 2024) *Audit Statements:* - *Auditor:* KPMG - *Audit Criteria:* WebTrust - *Recent Audit Statements:* https://bugzilla.mozilla.org/attachment.cgi?id=9439632 *Incident Summary:* SECOM has previously reported two incidents in Bugzilla related to CTJ. In both cases, SECOM and CTJ worked together promptly to investigate and address the issues, taking swift action, and successfully closing them. - SECOM: EV certificate mis-issued with the incorrect Registration Number by CTJ https://bugzilla.mozilla.org/show_bug.cgi?id=1805866 - SECOM: CTJ failed to make an annual CPS update https://bugzilla.mozilla.org/show_bug.cgi?id=1769222 Also, please let me know if you have any questions concerning this process. Thank you, Ben Wilson -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaadoFAZPiJZGu_H3S27vNt1aNcfFOQNOPhSR9LRwkS3fg%40mail.gmail.com.
