Greetings all,
On May 5, 2025, we began a six-week, public discussion on the request from
SwissSign for inclusion of two root certificate(s):
*SwissSign RSA SMIME Root CA 2022 – 1 (S/MIME) *
*SwissSign RSA TLS Root CA 2022 – 1 (TLS) *
The public discussion period has now ended.
We did not receive any objections or other questions or comments in
opposition to SwissSign’s request. We thank the community for its review
and consideration during this period. Root Store Programs will make final
inclusion decisions independently, on their own timelines, and based on
each Root Store Member’s inclusion criteria. Further discussion may take
place in the independently managed Root Store community forums (e.g.,
m-d-s-p).
Sincerely yours,
Ben Wilson,
on behalf of the CCADB Steering Committee
On Monday, May 5, 2025 at 7:39:39 AM UTC-6 Ben Wilson wrote:
> All,
>
> This email commences a six-week public discussion of SwissSign’s request
> to include the following certificates as publicly trusted root certificates
> in one or more CCADB Root Store’s program. This discussion period is
> scheduled to close on June 16, 2025.
>
> The purpose of this public discussion process is to promote openness and
> transparency. However, each Root Store makes its inclusion decisions
> independently, on its own timelines, and based on its own inclusion
> criteria. Successful completion of this public discussion process does not
> guarantee any favorable action by any root store.
>
> Anyone with concerns or questions is urged to raise them on this CCADB
> Public list by replying directly in this discussion thread. Likewise, a
> representative of SwissSign must promptly respond directly in the
> discussion thread to all questions that are posted.
>
> CCADB Case Number: 00001460
> <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001460>
>
> Organization Background Information (listed in CCADB):
>
> -
>
> CA Owner Name: SwissSign AG
> -
>
> Website: https://www.swisssign.com/
> -
>
> Address: Sägereistrasse 25, Glattbrugg ZH 8152, Switzerland
> -
>
> Problem Reporting Mechanisms: certific...@swisssign.com;
> keycom...@swisssign.com
> -
>
> Organization Type: Public Corporation
> -
>
> Repository URL: https://www.swisssign.com/en/support/repository.html
>
> Certificates Requesting Inclusion:
>
>
> 1.
>
> SwissSign RSA SMIME Root CA 2022 - 1:
>
>
> -
>
> Certificate download links: CA Repository
>
> <https://www.swisssign.com/dam/jcr:049189f2-d0e7-4164-a9a4-c0ce4a3eaf77/SwissSign_RSA_SMIME_Root_CA_2022_-_1.pem>
>
> / crt.sh <https://crt.sh/?d=7044154542>
> -
>
> SHA-256 Certificate Fingerprint:
> 9A12C392BFE57891A0C545309D4D9FD567E480CB613D6342278B195C79A7931F
> -
>
> Intended use cases served/EKUs:
> -
>
> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
> -
>
> Client Authentication 1.3.6.1.5.5.7.3.2
> -
>
> Reference Certificates:
> https://repository.swisssign.com/reference_certs/
>
>
>
> 2.
>
> SwissSign RSA TLS Root CA 2022 - 1:
> -
>
> Certificate download links: CA Repository
>
> <https://www.swisssign.com/dam/jcr:d7bff83f-43e3-4adc-84b2-0b694e84e4d5/SwissSign_RSA_TLS_Root_CA_2022_-_1.pem>
>
> / crt.sh <https://crt.sh/?d=7044185765>
> -
>
> SHA-256 Certificate Fingerprint:
> 193144F431E0FDDB740717D4DE926A571133884B4360D30E272913CBE660CE41
> -
>
> Intended use cases served/EKUs:
> -
>
> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
> -
>
> Test websites:
> -
>
> Valid: https://ev-rsa-tls-2022-1-valid-cert-demo.swisssign.com
> -
>
> Revoked:
> https://ev-rsa-tls-2022-1-revoked-cert-demo.swisssign.com
> -
>
> Expired:
> https://ev-rsa-tls-2022-1-expired-cert-demo.swisssign.com
> -
>
> DV Automation:
> https://dv-rsa-tls-2022-valid-cert-demo.swisssign.com
> -
>
> OV Automation:
> https://ov-rsa-tls-2022-valid-cert-demo.swisssign.com
> -
>
> EV Automation:
> https://ev-rsa-tls-2022-valid-cert-demo.swisssign.com
>
> Existing Publicly Trusted Root CAs from SwissSign:
>
> 1.
>
> SwissSign Gold CA - G2:
> -
>
> Certificate download links: (CA Repository
>
> <https://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE.pem>
>
> / crt.sh <https://crt.sh/?d=1221>)
> -
>
> SHA-256 Certificate Fingerprint:
> 62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95
> -
>
> Trust Bits/EKUs:
>
>
> -
>
> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
> -
>
> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
> -
>
> Client Authentication 1.3.6.1.5.5.7.3.2
>
>
> -
>
> Certificate corpus: (legacy Censys Search
>
> <https://search.censys.io/search?resource=certificates&q=62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95%09+and+labels%3Dever-trusted>
>
> login required) (new Censys Platform
>
> <https://platform.censys.io/search?q=%28cert.labels+%3D+%22ever-trusted%22%29+and+cert.parsed.issuer.organization+%3D+%22TrustAsia+Technologies%2C+Inc.%22>
>
> login required and free accounts may be limited)
>
>
> -
>
> Included in: Apple, Google, Microsoft, Mozilla
>
>
> 2.
>
> SwissSign Silver CA - G2:
> -
>
> Certificate download links: (CA Repository
>
> <https://swisssign.net/cgi-bin/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA8658.pem>
>
> / crt.sh <https://crt.sh/?d=2953>)
> -
>
> SHA-256 Certificate Fingerprint:
> BE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5
> -
>
> Trust Bits/EKUs:
> -
>
> Server Authentication (TLS) 1.3.6.1.5.5.7.3.1
> -
>
> Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4
> -
>
> Client Authentication 1.3.6.1.5.5.7.3.2
> -
>
> Certificate corpus: (legacy Censys Search
>
> <https://search.censys.io/search?resource=certificates&q=BE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5%09+and+labels%3Dever-trusted>
>
> login required) (new Censys Platform
>
> <https://platform.censys.io/search?q=%28cert.labels+%3D+%22ever-trusted%22%29+and+cert.parsed.issuer.organization+%3D+%22TrustAsia+Technologies%2C+Inc.%22>
>
> login required and free accounts may be limited)
> -
>
> Included in: Apple, Microsoft
>
> Relevant Policy and Practices Documentation:
>
> -
>
> TSPS: https://repository.swisssign.com/SwissSign_TSPS.pdf
> -
>
> TLS CPS: https://repository.swisssign.com/SwissSign_CPS_TLS.pdf
> -
>
> S/MIME CPS: https://repository.swisssign.com/SwissSign_CPS_SMIME.pdf
> -
>
> Other Documents: https://www.swisssign.com/en/support/repository.html
>
> Most Recent Self-Assessment:
>
> -
>
> https://repository.swisssign.com/CCADB_Self_Assessment.xlsx
>
> Audit Statements:
>
> -
>
> Auditor: TÜV Austria
> -
>
> Audit Criteria: ETSI
> -
>
> Recent Audit Statement(s):
> -
>
> TLS Root Key Generation
>
> <https://it-tuv.com/wp-content/uploads/2022/07/AA2022070101_SwissSign_PIT_Root_TLS_2022_Audit_Attestation.pdf>
>
> (June 28, 2022)
> -
>
> S/MIME Root Key Generation
>
> <https://it-tuv.com/wp-content/uploads/2022/07/AA2022070102_SwissSign_PIT_Root_SMIME_2022_Audit_Attestation.pdf>
>
> (June 28, 2022)
> -
>
> Standard Audit
>
> <https://it-tuv.com/wp-content/uploads/2024/09/AA2024090401_SwissSign_Standard_Audit_V1.0.pdf>
>
> (Period: June 17, 2023, to June 14, 2024)
> -
>
> TLS BR Audit
>
> <https://it-tuv.com/en/wp-content/uploads/sites/10/2024/09/AA2024090402_SwissSign_TLS-BR_Audit_V2.0.pdf>
>
> (Period: June 17, 2023, to June 14, 2024)
> -
>
> TLS EVG Audit
>
> <https://it-tuv.com/wp-content/uploads/2024/09/AA2024090403_SwissSign_TLS-EV_Audit_V1.0.pdf>
>
> (Period: June 17, 2023, to June 14, 2024)
> -
>
> S/MIME BR Audit
>
> <https://it-tuv.com/en/wp-content/uploads/sites/10/2024/09/AA2024090404_SwissSign_SMIME-BR_Audit_V2.0.pdf>
>
> (Period: June 17, 2023, to June 14, 2024)
>
> Incident Summary (Bugzilla incidents from previous 24 months):
>
> Audit Finding
>
>
> -
>
> 1921424 <https://bugzilla.mozilla.org/show_bug.cgi?id=1921424>
>
> Findings in 2024 Audit
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1921424>
>
> TLS Misissuance
>
>
> -
>
> 1894054 <https://bugzilla.mozilla.org/show_bug.cgi?id=1894054>
>
> MPKI step-up process sets wrong JoI Locality
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1894054>
>
> -
>
> 1876771 <https://bugzilla.mozilla.org/show_bug.cgi?id=1876771>
>
> modified fields were not saved into certificates and resulted in
> miss-issuance <https://bugzilla.mozilla.org/show_bug.cgi?id=1876771>
>
> -
>
> 1874196 <https://bugzilla.mozilla.org/show_bug.cgi?id=1874196>
>
> difference in upper and lower case between CN field and SAN
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1874196>
>
> -
>
> 1916489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1916489>
>
> LDAP URL still in CRL distribution point (CDP)
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1916489>
>
> -
>
> 1866091 <https://bugzilla.mozilla.org/show_bug.cgi?id=1866091>
>
> EV JurisdictionStateOrProvinceName - one certificate not selected for
> revocation <https://bugzilla.mozilla.org/show_bug.cgi?id=1866091>
>
> -
>
> 1860750 <https://bugzilla.mozilla.org/show_bug.cgi?id=1860750>
>
> EV code in JurisdiktionStateOrProvinceName
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1860750>
>
> S/MIME Misissuance
>
>
> -
>
> 1914023 <https://bugzilla.mozilla.org/show_bug.cgi?id=1914023>
>
> S/MIME LCP not-permitted key usage
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1914023>
>
> -
>
> 1914020 <https://bugzilla.mozilla.org/show_bug.cgi?id=1914020>
>
> S/MIME NCP non ASCII symbols in email and SAN field wrong coding
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1914020>
>
> -
>
> 1851164 <https://bugzilla.mozilla.org/show_bug.cgi?id=1851164>
>
> S/MIME wrong key Usage
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1851164>
>
> -
>
> 1848854 <https://bugzilla.mozilla.org/show_bug.cgi?id=1848854>
>
> S/MIME LCP: CN with values other than email address
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1848854>
>
> -
>
> 1929189 <https://bugzilla.mozilla.org/show_bug.cgi?id=1929189>
>
> S/MIME certificates deviate from CPR
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1929189>
>
> Revocation Delay
>
>
> -
>
> 1861682 <https://bugzilla.mozilla.org/show_bug.cgi?id=1861682>
>
> EV delayed revocation
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1861682>
>
> -
>
> 1849364 <https://bugzilla.mozilla.org/show_bug.cgi?id=1849364>
>
> Missed revocation and opening Bugzilla
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1849364>
>
> Thank you,
>
>
> Ben, on behalf of the CCADB Steering Committee
>
>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to public+unsubscr...@ccadb.org.
To view this discussion visit
https://groups.google.com/a/ccadb.org/d/msgid/public/efaa50ff-8aa7-414c-980c-abd0452fad78n%40ccadb.org.
