Replying from Cybertrust Japan. Jeremy, Thank you for comment. We are going to use pkilint and zlint for pre-issuance lint tesitng for CA G5 that is a scope of this public discussion when start issuing subscriber certificates. In fact, we are using those linters for G4, that is also a S/MIME CA and had been issuing production EE certificate.
Best regards, Mo (Masar) ________________________________ 差出人: [email protected] <[email protected]> が Jeremy Rowley <[email protected]> の代理で送信 送信日時: Saturday, December 21, 2024 1:03:47 AM 宛先: CCADB Public <[email protected]> CC: Ben Wilson <[email protected]> 件名: Re: Public Discussion of SECOM Externally-Operated S/MIME CA Hi Ben - one idea is to require all externally operated ICAs to use a linter, even of SMIME. Although CTJ is a well-known industry entity, I don't think it hurts to require them to pre-lint all SMIME certs before issuing using something like pkilint or adding metalint. On Wednesday, December 18, 2024 at 12:09:06 PM UTC-7 Ben Wilson wrote: All, This email commences a public discussion period that will run through Friday, January 10, 2025. This is regarding the issuance of S/MIME certificates by Cybertrust Japan (CTJ) under an externally-operated subordinate CA issued by SECOM (see Mozilla Root Store Policy, Section 8.4<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas>). Both SECOM and CTJ are included as CA owners/operators in one or more root stores, but CTJ does not currently have any of its own root certificates enabled for S/MIME issuance. (In the new year, we will commence a 6-week discussion period for the CTJ SecureSign Root CA16<https://crt.sh/?sha256=4C1CCD24F17E950FC18536B33CAFE32293CFC33E8467B41E1C693055D7F513BF>, which CTJ has submitted for inclusion as a root certificate for S/MIME issuance.) The purpose of this public discussion is to promote openness and transparency. Each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly to this discussion thread. Representatives of SECOM or CTJ, as the case may be, will respond directly in this thread to all questions that are posted. However, please note that due to internationally-recognized holidays, some responses may be delayed. Request Details: Bugzilla Case Number: # 1933132<https://bugzilla.mozilla.org/show_bug.cgi?id=1933132> - SECOM’s Request re: Cybertrust Japan SureMail CA G5 (Note that signing/issuance of the external Sub CA can occur before completion of public discussion and root store approval, as long as the external Sub CA does not issue end entity certificates.) Organization Background: * Owner/Operator of External Sub-CA: Cybertrust Japan Co., Ltd. * Website: https://www.cybertrust.co.jp/ * Address: ARK Hills Sengokuyama Mori Tower 35F, 1-9-10 Roppongi, Minato-ku, Tokyo, 106-0032 * Problem Reporting Mechanisms: [email protected] * Organization Type: Private Corporation * Repository URL (Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)): https://www.cybertrust.ne.jp/ssl/repository/ Certificate Requested for Approval: Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA): * Root CA: SECOM’s Security Communication RootCA2<https://crt.sh/?SHA256=513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6> * Certificate profile: https://bugzilla.mozilla.org/attachment.cgi?id=9439631 (.xlsx) * Use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 Existing Publicly Trusted CAs from SECOM and CTJ: SECOM and CTJ already have several root CAs included in root stores. The requested subordinate CA represent CTJ’s efforts to realize S/MIME issuance capabilities. SECOM confirms that it has reviewed and validated CTJ’s policy and audit documentation. Relevant Policy and Practices Documentation: * CTJ S/MIME Certificate Policy (CP) https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf * CTJ Certification Practice Statement (CPS): https://www.cybertrust.ne.jp/ssl/repository/CTJCPS_English.pdf (Version 1.10) Most Recent Self-Assessments: * Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA): Assessment of CTJ in Bugzilla Attachment #9439634<https://bugzilla.mozilla.org/attachment.cgi?id=9439634> (.xlsx) (completed Sept. 24, 2024) Audit Statements: * Auditor: KPMG * Audit Criteria: WebTrust * Recent Audit Statements: https://bugzilla.mozilla.org/attachment.cgi?id=9439632 Incident Summary: SECOM has previously reported two incidents in Bugzilla related to CTJ. In both cases, SECOM and CTJ worked together promptly to investigate and address the issues, taking swift action, and successfully closing them. * SECOM: EV certificate mis-issued with the incorrect Registration Number by CTJ https://bugzilla.mozilla.org/show_bug.cgi?id=1805866 * SECOM: CTJ failed to make an annual CPS update https://bugzilla.mozilla.org/show_bug.cgi?id=1769222 Also, please let me know if you have any questions concerning this process. Thank you, Ben Wilson -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org<https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/TYCPR01MB67403D27AD824867B6658382C1002%40TYCPR01MB6740.jpnprd01.prod.outlook.com.
