On December 18, 2024, we began a public discussion period regarding the issuance of S/MIME certificates by Cybertrust Japan (CTJ) under an externally-operated subordinate CA issued by SECOM, as detailed in Bugzilla Case #1933132 <https://bugzilla.mozilla.org/show_bug.cgi?id=1933132>. This discussion concluded on January 10, 2025.
*Summary of Discussion* *Discussion Item #1*: Use of Linters for Pre-Issuance Testing Jeremy Rowley suggested that all externally operated ICAs be required to use pre-issuance linting tools, such as pkilint or metalint, for S/MIME certificates to ensure compliance. Masaru Sakamoto, representing Cybertrust Japan, confirmed that they will use pkilint and zlint for pre-issuance linting for Cybertrust Japan SureMail CA G5. He also shared that they already use these linters for their existing S/MIME CA, G4, which has issued production end-entity certificates. No additional comments or objections were raised during the discussion period. *Next Steps* We thank you for your review, comments, and participation during this public discussion period. Root Store Programs will independently make further decisions based on their respective policies, timelines, and criteria. Any further discussion may occur in independently managed Root Store community forums, such as MDSP. Thank you, Ben Wilson On Thu, Jan 9, 2025 at 12:31 PM 'Ben Wilson' via CCADB Public < [email protected]> wrote: > Just a reminder that the public discussion period for this closes tomorrow. > > On Saturday, December 21, 2024 at 1:53:49 AM UTC-7 > [email protected] wrote: > >> Replying from Cybertrust Japan. >> >> >> >> Jeremy, >> Thank you for comment. We are going to use pkilint and zlint for >> pre-issuance lint tesitng for CA G5 that is a scope of this public >> discussion when start issuing subscriber certificates. In fact, we are >> using those linters for G4, that is also a S/MIME CA and had been issuing >> production EE certificate. >> >> >> >> Best regards, >> >> Mo (Masar) >> >> >> ------------------------------ >> *差出人:* [email protected] <[email protected]> が Jeremy Rowley < >> [email protected]> の代理で送信 >> *送信日時:* Saturday, December 21, 2024 1:03:47 AM >> *宛先:* CCADB Public <[email protected]> >> *CC:* Ben Wilson <[email protected]> >> *件名:* Re: Public Discussion of SECOM Externally-Operated S/MIME CA >> >> Hi Ben - one idea is to require all externally operated ICAs to use a >> linter, even of SMIME. Although CTJ is a well-known industry entity, I >> don't think it hurts to require them to pre-lint all SMIME certs before >> issuing using something like pkilint or adding metalint. >> >> On Wednesday, December 18, 2024 at 12:09:06 PM UTC-7 Ben Wilson wrote: >> >> All, >> >> This email commences a public discussion period that will run through >> Friday, January 10, 2025. This is regarding the issuance of S/MIME >> certificates by Cybertrust Japan (CTJ) under an externally-operated >> subordinate CA issued by SECOM (*see *Mozilla Root Store Policy, Section >> 8.4 >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas>). >> >> >> Both SECOM and CTJ are included as CA owners/operators in one or more >> root stores, but CTJ does not currently have any of its own root >> certificates enabled for S/MIME issuance. (In the new year, we will >> commence a 6-week discussion period for the CTJ *SecureSign Root CA16* >> <https://crt.sh/?sha256=4C1CCD24F17E950FC18536B33CAFE32293CFC33E8467B41E1C693055D7F513BF>*, >> *which CTJ has submitted for inclusion as a root certificate for S/MIME >> issuance.) >> >> The purpose of this public discussion is to promote openness and >> transparency. Each Root Store makes its inclusion decisions independently, >> on its own timelines, and based on its own inclusion criteria. Successful >> completion of this public discussion process does not guarantee any >> favorable action by any root store. >> >> Anyone with concerns or questions is urged to raise them on this CCADB >> Public list by replying directly to this discussion thread. Representatives >> of SECOM or CTJ, as the case may be, will respond directly in this thread >> to all questions that are posted. *However, please note that due to >> internationally-recognized holidays, some responses may be delayed.* >> >> >> *Request Details:* >> >> *Bugzilla Case Number: *# 1933132 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1933132> - SECOM’s Request >> re: Cybertrust Japan SureMail CA G5 >> >> (Note that signing/issuance of the external Sub CA can occur before >> completion of public discussion and root store approval, as long as the >> external Sub CA does not issue end entity certificates.) >> >> >> *Organization Background:* >> >> - *Owner/Operator of External Sub-CA:* Cybertrust Japan Co., Ltd. >> - *Website:* https://www.cybertrust.co.jp/ >> - *Address:* ARK Hills Sengokuyama Mori Tower 35F, 1-9-10 Roppongi, >> Minato-ku, Tokyo, 106-0032 >> - *Problem Reporting Mechanisms:* [email protected] >> - *Organization Type:* Private Corporation >> - *Repository URL (Cybertrust Japan SureMail CA G5 (SECOM Subordinate >> CA)):* >> >> https://www.cybertrust.ne.jp/ssl/repository/ >> >> >> *Certificate Requested for Approval:* >> >> *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA):* >> >> - *Root CA:* SECOM’s Security Communication RootCA2 >> >> <https://crt.sh/?SHA256=513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6> >> - *Certificate profile:* >> https://bugzilla.mozilla.org/attachment.cgi?id=9439631 (.xlsx) >> - *Use cases served/EKUs:* >> >> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4 >> >> >> *Existing Publicly Trusted CAs from SECOM and CTJ:* >> >> SECOM and CTJ already have several root CAs included in root stores. The >> requested subordinate CA represent CTJ’s efforts to realize S/MIME issuance >> capabilities. SECOM confirms that it has reviewed and validated CTJ’s >> policy and audit documentation. >> >> >> *Relevant Policy and Practices Documentation:* >> >> - *CTJ S/MIME Certificate Policy **(CP)* >> >> https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf >> >> - *CTJ Certification Practice Statement (**CPS):* >> >> https://www.cybertrust.ne.jp/ssl/repository/CTJCPS_English.pdf (Version >> 1.10) >> >> >> *Most Recent Self-Assessments:* >> >> - *Cybertrust Japan SureMail CA G5 (SECOM Subordinate CA)**:* >> >> Assessment of CTJ in Bugzilla Attachment #9439634 >> <https://bugzilla.mozilla.org/attachment.cgi?id=9439634> (.xlsx) >> (completed Sept. 24, 2024) >> >> >> *Audit Statements:* >> >> - *Auditor:* KPMG >> - *Audit Criteria:* WebTrust >> - *Recent Audit Statements:* >> >> https://bugzilla.mozilla.org/attachment.cgi?id=9439632 >> >> >> *Incident Summary:* >> >> SECOM has previously reported two incidents in Bugzilla related to CTJ. >> In both cases, SECOM and CTJ worked together promptly to investigate and >> address the issues, taking swift action, and successfully closing them. >> >> - SECOM: EV certificate mis-issued with the incorrect Registration >> Number by CTJ >> https://bugzilla.mozilla.org/show_bug.cgi?id=1805866 >> - SECOM: CTJ failed to make an annual CPS update >> https://bugzilla.mozilla.org/show_bug.cgi?id=1769222 >> >> >> >> Also, please let me know if you have any questions concerning this >> process. >> >> >> Thank you, >> >> >> Ben Wilson >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org >> <https://groups.google.com/a/ccadb.org/d/msgid/public/fdfd03a1-fb43-4935-b86b-978ef597c99bn%40ccadb.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/d3d11d05-088d-4533-8bcf-d56149b23852n%40ccadb.org > <https://groups.google.com/a/ccadb.org/d/msgid/public/d3d11d05-088d-4533-8bcf-d56149b23852n%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtabkhoxXSOMSnHRJCPgZwdnnzhr87iDp3JXCYH-x418FxA%40mail.gmail.com.
