As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule TC TrustCenter is the next request in the queue for public discussion.
TC TrustCenter (a commercial company based in Germany, with customers in all major regions of the world) has applied to add four root CA certificates to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=392024 and in the pending certificates list here: http://www.mozilla.org/projects/security/certs/pending/#TC%20TrustCenter Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=362354 Some quick comments regarding noteworthy points: * The TC TrustCenter Class 1 CA root has four internally-operated subordinate CAs which issue certificates for email and SSL client authentication. Only the email trust bit is requested for this root. Note that this root is 1024 bit and it expires in January, 2011. TC TrustCenter will phase out this root before the end of 2010. This root will be effectively replaced by TC TrustCenter Universal CA I. They are still requesting inclusion of this root because there are many customers who are using certificates chained to this root for secure email with Thunderbird. * The TC TrustCenter Class 2 CA II root has two internally-operated subordinate CAs which issue certificates for SSL, email, and code signing. The request is to enable all three trust bits for this root. This root is RSA 2048 bit. The SSL certificates chaining up to this root are OV. * The TC TrustCenter Class 3 CA II root has one internally-operated subordinate CA which issues certificates for SSL, email, and code signing. The request is to enable all three trust bits for this root. This root is RSA 2048 bit. The SSL certificates chaining up to this root are OV. * The TC TrustCenter Universal CA I root has been introduced to reduce the number of root certificates in the trusted root stores. This root will have internally-operated subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates. The request is to enable all three trust bits for this root. This root is RSA 2048 bit. The SSL certificates chaining up to this root are OV. * One other root, TC TrustCenter Universal II, had been included in the original request, but this root is not yet operational and has not been covered by an audit. Therefore the request to include the Universal II root has been postponed for now, and shall not be part of this discussion. * There are currently no subordinate CAs that are operated by third parties. However, the CA’s could have sub-CA’s in which a third party has ownership/control of the sub_CA key pair and CA. If TC TrustCenter issues a Sub-CA certificate to a third party then there will be contractual agreements in place requiring the third party to adhere to the requirements of the applicable CPS. The entry "Path length" in the "Basic contstraints" extension (marked as critical) is set to 0. So they cannot use their own subordinates. From TC TrustCenter: We do not sign subordinates for public SSL provider use. The root can only be used by Enterprises that pass our tests and plan to issue for internal, corporate purposes, typically S/MIME and authentication. To date, we have not encountered any problems with our subordinates. * The Certification Practice Statement and the Certificate Policy Definitions documents have been provided in English. * Both CRL and OCSP are provided. * These roots have been audited by TÜV-IT, a German inspection agency focused on assessing, testing and certifying IT products, systems and processes. The most recent ETSI 102 042 certificate was issued on 2/11/2009, and is posted on the TÜV-IT website. This begins the one-week discussion period. After that week, I will provide a summary of issues noted and action items. If there are no outstanding issues, then this request can be approved for inclusion. If there are outstanding issues or action items, then an additional discussion may be needed as follow-up. Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
