This email announces an intent to include the following three (3) root
certificates as trust anchors with the websites and email trust bits
enabled, and to enable each root for EV as documented in the following
Bugzilla case: https://bugzilla.mozilla.org/show_bug.cgi?id=1528369
This email commences the three-week public discussion period set forth in
https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion.
The three root CA certificates are as follows:
*Trustwave Global Certification Authority* – valid from 23-Aug-2017
SHA2: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
*Trustwave Global ECC P256 Certification Authority* – valid from 23-Aug-2017
SHA2: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
*Trustwave Global ECC P384 Certification Authority* –
SHA2: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
*A Summary of Information Gathered and Verified appears here in the CCADB:*
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0392
*Root Certificate Download URLs are as follows:*
https://certs.securetrust.com/CA/TWGCA.txt
https://certs.securetrust.com/CA/TWGP256CA.txt
https://certs.securetrust.com/CA/TWGP384CA.txt
*CP/CPS:* We have reviewed the CPS and provided comments, which were
incorporated into SecureTrust's most recent CPS:
https://certs.securetrust.com/CA/SecureTrustCPS_62.pdf
(Repository location: https://ssl.trustwave.com/CA /
https://certs.securetrust.com/CA/)
*SecureTrust’s BR Self Assessment* is located here:
https://bugzilla.mozilla.org/attachment.cgi?id=9060769
*Audits:* Annual audits are performed by BDO International, Ltd. according
to the WebTrust Standard, BR and EV audit criteria. I have reviewed the
key generation audit report from Grant Thornton and subsequent 2018 and
2019 audit reports for these three roots and determined that there is
continuity (all three are included in WebTrust Standard, BR and EV audits
continuously since CA generation). Minor issues were found by BDO
International, Ltd., as part of the 2019 Baseline Requirements audit.[1]
These issues were addressed in [2], which was closed by Mozilla on
14-Mar-2020.
[1]
https://certs.securetrust.com/CA/2%20-%20SecureTrust%202019%20SSL%20BL%20Report.pdf
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1606031 (BR Audit 2019 -
matters to be resolved)
I ran mis-issuance reports for the three roots with linting to look for
issuance errors and didn’t find any from the three above-mentioned roots.
Other closed CA Incidents for SecureTrust include the following:
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1546776 (Unvalidated
domain in certificate )
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1551374 ("Some-State" in
stateOrProvinceName)
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1600844 (Unconstrained ICA
not included in WTBR audit report)
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=1646711 (Metadata-only
field values in 2 certificates)
This email begins the three-week public discussion period, which will close
on 24-August-2020.
Sincerely yours,
Ben Wilson
Mozilla Root Program
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
