Just a reminder that the public discussion period for this closes tomorrow.
On Saturday, December 21, 2024 at 1:53:49 AM UTC-7 [email protected] wrote: > Replying from Cybertrust Japan. > > > > Jeremy, > Thank you for comment. We are going to use pkilint and zlint for > pre-issuance lint tesitng for CA G5 that is a scope of this public > discussion when start issuing subscriber certificates. In fact, we are > using those linters for G4, that is also a S/MIME CA and had been issuing > production EE certificate. > > > > Best regards, > > Mo (Masar) > > > ------------------------------ > *差出人:* [email protected] <[email protected]> が Jeremy Rowley < > [email protected]> の代理で送信 > *送信日時:* Saturday, December 21, 2024 1:03:47 AM > *宛先:* CCADB Public <[email protected]> > *CC:* Ben Wilson <[email protected]> > *件名:* Re: Public Discussion of SECOM Externally-Operated S/MIME CA > > Hi Ben - one idea is to require all externally operated ICAs to use a > linter, even of SMIME. Although CTJ is a well-known industry entity, I > don't think it hurts to require them to pre-lint all SMIME certs before > issuing using something like pkilint or adding metalint. > > On Wednesday, December 18, 2024 at 12:09:06 PM UTC-7 Ben Wilson wrote: > > All, > > This email commences a public discussion period that will run through > Friday, January 10, 2025. This is regarding the issuance of S/MIME > certificates by Cybertrust Japan (CTJ) under an externally-operated > subordinate CA issued by SECOM (*see *Mozilla Root Store Policy, Section > 8.4 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas>). > > > > Both SECOM and CTJ are included as CA owners/operators in one or more root > stores, but CTJ does not currently have any of its own root certificates > enabled for S/MIME issuance. (In the new year, we will commence a 6-week > discussion period for the CTJ *SecureSign Root CA16* > <https://crt.sh/?sha256=4C1CCD24F17E950FC18536B33CAFE32293CFC33E8467B41E1C693055D7F513BF>*, > > *which CTJ has submitted for inclusion as a root certificate for S/MIME > issuance.) > > The purpose of this public discussion is to promote openness and > transparency. Each Root Store makes its inclusion decisions independently, > on its own timelines, and based on its own inclusion criteria. Successful > completion of this public discussion process does not guarantee any > favorable action by any root store. > > Anyone with concerns or questions is urged to raise them on this CCADB > Public list by replying directly to this discussion thread. Representatives > of SECOM or CTJ, as the case may be, will respond directly in this thread > to all questions that are posted. *However, please note that due to > internationally-recognized holidays, some responses may be delayed.* > > > *Request Details:* > > *Bugzilla Case Number: *# 1933132 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1933132> - SECOM’s Request > re: Cybertrust Japan SureMail CA G5 > > (Note that signing/issuance of the external Sub CA can occur before > completion of public discussion and root store approval, as long as the > external Sub CA does not issue end entity certificates.) > > > *Organization Background:* > > - *Owner/Operator of External Sub-CA:* Cybertrust Japan Co., Ltd. > - *Website:* https://www.cybertrust.co.jp/ > - *Address:* ARK Hills Sengokuyama Mori Tower 35F, 1-9-10 Roppongi, > Minato-ku, Tokyo, 106-0032 > - *Problem Reporting Mechanisms:* [email protected] > - *Organization Type:* Private Corporation > - *Repository URL (Cybertrust Japan SureMail CA G5 (SECOM Subordinate > CA)):* > > https://www.cybertrust.ne.jp/ssl/repository/ > > > *Certificate Requested for Approval:* > > *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA):* > > - *Root CA:* SECOM’s Security Communication RootCA2 > > <https://crt.sh/?SHA256=513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6> > > - *Certificate profile:* > https://bugzilla.mozilla.org/attachment.cgi?id=9439631 (.xlsx) > - *Use cases served/EKUs:* > > Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 > > > *Existing Publicly Trusted CAs from SECOM and CTJ:* > > SECOM and CTJ already have several root CAs included in root stores. The > requested subordinate CA represent CTJ’s efforts to realize S/MIME issuance > capabilities. SECOM confirms that it has reviewed and validated CTJ’s > policy and audit documentation. > > > *Relevant Policy and Practices Documentation:* > > - *CTJ S/MIME Certificate Policy **(CP)* > > https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf > > - *CTJ Certification Practice Statement (**CPS):* > > https://www.cybertrust.ne.jp/ssl/repository/CTJCPS_English.pdf (Version > 1.10) > > > *Most Recent Self-Assessments:* > > - *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)**:* > > Assessment of CTJ in Bugzilla Attachment #9439634 > <https://bugzilla.mozilla.org/attachment.cgi?id=9439634> (.xlsx) > (completed Sept. 24, 2024) > > > *Audit Statements:* > > - *Auditor:* KPMG > - *Audit Criteria:* WebTrust > - *Recent Audit Statements:* > > https://bugzilla.mozilla.org/attachment.cgi?id=9439632 > > > *Incident Summary:* > > SECOM has previously reported two incidents in Bugzilla related to CTJ. In > both cases, SECOM and CTJ worked together promptly to investigate and > address the issues, taking swift action, and successfully closing them. > > - SECOM: EV certificate mis-issued with the incorrect Registration > Number by CTJ > https://bugzilla.mozilla.org/show_bug.cgi?id=1805866 > - SECOM: CTJ failed to make an annual CPS update > https://bugzilla.mozilla.org/show_bug.cgi?id=1769222 > > > > Also, please let me know if you have any questions concerning this process. > > > Thank you, > > > Ben Wilson > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org > > <https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/d3d11d05-088d-4533-8bcf-d56149b23852n%40ccadb.org.
