DigiCert is a US-based commercial CA with headquarters in Lindon, UT. DigiCert provides digital certification and identity assurance services internationally to a variety of sectors including business, education, and government.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

CRL http://ocsp.digicert.com OV, EV DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.3 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=364568 https://bugzilla.mozilla.org/show_bug.cgi?id=378162 The Code Signing trust bit was enabled in bugzilla #595013.

CRL http://ocsp.digicert.com OV, EV (policy OID 2.16.840.1.114412.2.1) DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.6 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=364568 https://bugzilla.mozilla.org/show_bug.cgi?id=378162 https://bugzilla.mozilla.org/show_bug.cgi?id=416827 The Code Signing trust bit was enabled in bugzilla #595013.

Firmaprofesional is a commercial CA in Spain that issues certificates to professional corporations, companies and other institutions. Their main activity is the generation, transmission and distribution of digital certificates through professional corporations, companies or other institutions, which act as Registration Authorities and Certification Authorities in the hierarchy of certification Firmaprofesional. Firmaprofesional has a network of more than 70 Registration Authorities located throughout Spain.

Ernst & Young Audit Report and Management’s Assertions

This is a renewal for the Firmaprofesional root certificate that is currently in NSS. Sub-CAs of the new root cross-sign end-entity certs with sub-CAs of the old root, in order to maintain business continuity. This root CA signs subordinate CAs that sign end-entity certificates. One sub-CA is used by Firmaprofesional, and other sub-CAs are issued for organizations including professional corporations, companies or other institutions, which act as Registration Authorities and Certification Authorities in the hierarchy of certification Firmaprofesional.

CRL http://servicios.firmaprofesional.com/ocsp OV Firmaprofesional Document Repository CPS (Spanish) SSL CP (Spanish) Code Signing CP (Spanish) https://bugzilla.mozilla.org/show_bug.cgi?id=521439 https://bugzilla.mozilla.org/show_bug.cgi?id=601718

QuoVadis is a commercial CA, based in Bermuda and operating globally. QuoVadis is a Qualified Certification Services Provider in Switzerland.

Ernst & Young Audit Report and Management's Assertions KPMG Swiss Accreditation Service statement

This root will be used for SSL/device certificates, including standard "organisation validated" certificates as well as EV certificates.

CRL http://ocsp.quovadisglobal.com/ OV, EV QuoVadis Root CA2 CP/CPS v1.7 QuoVadis Root CA2 CP/CPS v1.7 https://bugzilla.mozilla.org/show_bug.cgi?id=365281 https://bugzilla.mozilla.org/show_bug.cgi?id=378161

This root will operate under a similar CP/CPS to our existing "qualified" Root CA 1, primarily used for end user certificates.

CRL http://ocsp.quovadisglobal.com/ OV QuoVadis Root CA CP/CPS 4.3 QuoVadis Root CA CP/CPS 4.3 https://bugzilla.mozilla.org/show_bug.cgi?id=365281 https://bugzilla.mozilla.org/show_bug.cgi?id=378161

GlobalSign is a commercial CA based in Portsmouth NH and serving customers worldwide.

Ernst & Young Audit Report and Management’s Assertions Ernst & Young Audit Report and Management’s Assertions

This is the SHA256 version of the GlobalSign root (SHA1) that is already included in NSS. This root is primarily suitable for Server and Client Authentication, Secure e-mail, Code Signing and Timestamping. However the root itself is marked for all issuance policies and therefore can also be used for OCSP, Encrypting File System, IP Sec (Tunnel, User) and CA Encryption Certificate purposes. The root has been created (A ceremony to WebTrust audited standards witnessed by Ernst and Young). However, this root is not yet active, so no CRL or OCSP service has yet been provided for it. GlobalSign will be supporting a new certificate hierarchy in 2010 based on this SHA256 root.

CRL DV, OV, EV (policy OID 1.3.6.1.4.1.4146.1.1) Repository of All Legal Documents GlobalSign Certification Practice Statement GlobalSign CA Certificate Policy https://bugzilla.mozilla.org/show_bug.cgi?id=507360 https://bugzilla.mozilla.org/show_bug.cgi?id=582375 https://bugzilla.mozilla.org/show_bug.cgi?id=582381

Root CA with one subordinate CA.

CRL http://evssl-ocsp.globalsign.com/responder EV (policy OID 1.3.6.1.4.1.4146.1.1) GlobalSign Certification Practice Statement, version 6.0 GlobalSign CA Certificate Policy, version 3.0 GlobalSign CP v2.1 GlobalSign CPS v5.3 https://bugzilla.mozilla.org/show_bug.cgi?id=367245 https://bugzilla.mozilla.org/show_bug.cgi?id=378163 https://bugzilla.mozilla.org/show_bug.cgi?id=406796

Root CA with two subordinate CAs.

CRL http://evssl-ocsp.globalsign.com/responder DV, IV/OV, EV (policy OID 1.3.6.1.4.1.4146.1.1) GlobalSign Certification Practice Statement, version 6.0 GlobalSign CA Certificate Policy, version 3.0 https://bugzilla.mozilla.org/show_bug.cgi?id=406794 https://bugzilla.mozilla.org/show_bug.cgi?id=449883 https://bugzilla.mozilla.org/show_bug.cgi?id=446407 Note that a version of this root CA certificate with the same public key but an earlier expiration date (2014-01-28) is already included in the Mozilla list. This request is to replace the older certificate with this certificate and then enable this CA certificate for EV.

Keynectis is a French commercial CA that issues certificates to the general public. Keynectis was created by merging two previous French certification operators, Certplus and PK7.

LSTI - La Sécurité des Technologies de l'Information ETSI Certificate KPMG Audit Report and Management's Assertion

CRL http://kvalid.keynectis.com/evssl-ocsp/ OV, EV (Policy OID 1.3.6.1.4.1.22234.2.5.2.3.1) Declaration des Pratiques de Certification (CPS in French) CPS for EV SSL CA (English) Root CA CP (English) SSL CP (English) SSL CPS (English) Keynectis Information (English) https://bugzilla.mozilla.org/show_bug.cgi?id=335392 https://bugzilla.mozilla.org/show_bug.cgi?id=379032 https://bugzilla.mozilla.org/show_bug.cgi?id=555860

StartCom is a commercial corporation with customers worldwide, and is the producer and vendor of the StartCom Linux operating systems, operates the StartCom Certification Authority and MediaHost.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions

CRL http://ocsp.startcom.org/sub/class2/server/ca DV, OV, EV (policy OID 1.3.6.1.4.1.23223.2) StartCom Certification Authority Policy and Practice Statements StartCom Certification Authority Extended Validation Certificates Policy Appendix Index of Certs https://bugzilla.mozilla.org/show_bug.cgi?id=362304 https://bugzilla.mozilla.org/show_bug.cgi?id=383722 https://bugzilla.mozilla.org/show_bug.cgi?id=490495 https://bugzilla.mozilla.org/show_bug.cgi?id=490492

This is the SHA256 version of the root certificate that was approved for inclusion in bug #362304. StartCom operates intermediate CA certificates arranged in 4 different verification levels (classes) and certificate types (server, client, code). Class 1 is used for server and email; Class 2, Class 3, and Class 4 are used for server, email, and code signing.

CRL http://ocsp.startcom.org/sub/class2/server/ca DV, OV, EV (policy OID 1.3.6.1.4.1.23223.1.1.1) Document Repository StartCom Certification Authority Policy and Practice Statements Addendem to CP/CPS StartCom Certification Authority Extended Validation Certificates Policy Appendix Certificate Repository https://bugzilla.mozilla.org/show_bug.cgi?id=602750 https://bugzilla.mozilla.org/show_bug.cgi?id=751954 https://bugzilla.mozilla.org/show_bug.cgi?id=751960

This is a new root certificate, that is not related to the StartCom root that is currently included in NSS, as per bug #362304. StartCom operates intermediate CA certificates arranged in 4 different verification levels (classes) and certificate types (server, client, code). Class 1 is used for server and email; Class 2, Class 3, and Class 4 are used for server, email, and code signing.

CRL http://ocsp.startssl.com/ca-g2 DV, OV, EV (policy OID 1.3.6.1.4.1.23223.1.1.1) Document Repository StartCom Certification Authority Policy and Practice Statements Addendem to CP/CPS StartCom Certification Authority Extended Validation Certificates Policy Appendix Certificate Repository https://bugzilla.mozilla.org/show_bug.cgi?id=640368 https://bugzilla.mozilla.org/show_bug.cgi?id=751954 https://bugzilla.mozilla.org/show_bug.cgi?id=751960

TURKTRUST Information Security Services Inc. is a public corporation and is an IT company based in Turkey. TURKTRUST is an authorized qualified electronic certificate service provider according to the Turkish Electronic Signature Law. TURKTRUST issues qualified certificates, time-stamping services, SSL certificates, and object signing certificates.

Turkish Information and Communication Technologies Authority (ICTA) Audit statement BSI Group The Netherlands B.V. ETSI Certificate

Root 1 is a "legacy" root included for compatibility with previously-issued certificates. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Root 2 is the new root that replaced Root 1; Root 2 is used for certificates currently being issued. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Comodo CA Ltd is a commercial CA based in the UK and serving customers worldwide. Comodo has a total of 12 root CA certs included in Mozilla, and altogether 124 subordinate CAs signed by those root CAs. Some of them exist to differentiate between different Comodo brands or products and some are used to re-brand products for its partners. In each case Comodo retains the private key for the subordinate CA within its infrastructure.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

Root CA certificate with subordinate CAs issuing SSL certificates, email certificates, and code signing certificates.

CRL http://ocsp.comodoca.com/ DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1) Comodo Certification Practice Statement, Version 3.0 Comodo Extended Validation (EV) Certification Practice Statement, Version 1.03 https://bugzilla.mozilla.org/show_bug.cgi?id=401587 https://bugzilla.mozilla.org/show_bug.cgi?id=426568 https://bugzilla.mozilla.org/show_bug.cgi?id=426572

Root ECC certificate with internal subordinate CA issuing EV SSL certificates, email certificates, and code signing certificates.

CRL http://ocsp.comodoca.com/ EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1) Comodo Certification Practice Statement ECC Amendment to Comodo EV CPS Comodo EV Certification Practice Statement https://bugzilla.mozilla.org/show_bug.cgi?id=421946 https://bugzilla.mozilla.org/show_bug.cgi?id=450427 https://bugzilla.mozilla.org/show_bug.cgi?id=450429

Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base.

KPMG Audit Reports and Management's Assertions

This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects. VeriSign is not yet actively issuing certificates from this root, so they have not yet published a CRL.

CRL OV VeriSign Certification Practice Statement VeriSign Trust Network Certificate Policies CA Hierarchy Diagram https://bugzilla.mozilla.org/show_bug.cgi?id=484901 https://bugzilla.mozilla.org/show_bug.cgi?id=515470

CRL OV VeriSign Certification Practice Statement VeriSign Trust Network Certificate Policies CA Hierarchy Diagram https://bugzilla.mozilla.org/show_bug.cgi?id=409235 https://bugzilla.mozilla.org/show_bug.cgi?id=515472

This root has the following internally-operated sub-CAs: VeriSign Extended Validation SSL CA, VeriSign Extended Validation SSL SGC CA, VeriSign Secure Server CA – G3, VeriSign Class 3 Code Signing 2010 CA, VeriSign Class 3 International Server CA – G3, Thawte SGC CA - G2.

CRL http://evintl-ocsp.verisign.com/ EV (policy OID 2.16.840.1.113733.1.7.23.6) VeriSign Certification Practice Statement VeriSign Trust Network Certificate Policies CA Hierarchy Diagram https://bugzilla.mozilla.org/show_bug.cgi?id=402947 https://bugzilla.mozilla.org/show_bug.cgi?id=422918 https://bugzilla.mozilla.org/show_bug.cgi?id=422921 Email and code signing trust bits enabled in NSS 3.13.6, Firefox 16 as per bug #602107. Note that for compatibility reasons VeriSign has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter VeriSign EV certificates then they will end up treating this CA as a subordinate CA under the existing VeriSign Class 3 Public Primary CA root.

This root CA (also known as PCA1-G1-SHA1) has Signature Algorithm SHA-1. This root will supersede the PCA1-G1 root that is already included in NSS, which has Signature Algorithm MD2.

CRL DV VeriSign Certification Practice Statement VeriSign Trust Network Certificate Policies CA Hierarchy Diagram https://bugzilla.mozilla.org/show_bug.cgi?id=490895 https://bugzilla.mozilla.org/show_bug.cgi?id=515462

This root CA (also known as PCA3-G1-SHA1) has Signature Algorithm SHA-1. This root will supersede the PCA3-G1 root that is already included in NSS, which has Signature Algorithm MD2.

CRL http://ocsp.verisign.com OV VeriSign Certification Practice Statement VeriSign Trust Network Certificate Policies CA Hierarchy Diagram https://bugzilla.mozilla.org/show_bug.cgi?id=490895 https://bugzilla.mozilla.org/show_bug.cgi?id=515462 The initial request was also to EV-enable this root. However, it was deteremined that EV-enablement was not necessary.

Trustwave is a commercial CA serving customers worldwide; it includes the former SecureTrust and XRamp CAs. At this time there are no subordinate CAs for any of these roots; instead end entity certificates are issued directly from the roots as noted below, with different classes of certificates under different certificate policies. Note that each root CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc.

Boysen & Miller PLLC Audit Report and Management's Assertions

Root CA certificate utilized for issuing SSL certificates (OV and EV) and code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409837 https://bugzilla.mozilla.org/show_bug.cgi?id=418907 https://bugzilla.mozilla.org/show_bug.cgi?id=418910

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and (in future) code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409838 https://bugzilla.mozilla.org/show_bug.cgi?id=418907 https://bugzilla.mozilla.org/show_bug.cgi?id=418910

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=273189 https://bugzilla.mozilla.org/show_bug.cgi?id=274723 https://bugzilla.mozilla.org/show_bug.cgi?id=418902

DISABLED: The trust bits have been turned off for the DigiNotar root certificate in versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2).

CRL http://validation.diginotar.nl OV, EV (policy OID 2.16.528.1.1001.1.1.1.12.6.1.1.1) Mozilla Security Blog regarding DigiNotar https://bugzilla.mozilla.org/show_bug.cgi?id=369357 https://bugzilla.mozilla.org/show_bug.cgi?id=431621 https://bugzilla.mozilla.org/show_bug.cgi?id=493265

GeoTrust is a subsidiary of Symantec. Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base.

KPMG Audit Report and Management's Assertions

This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects. GeoTrust is not yet actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated.

CRL DV, OV GeoTrust Certification Practice Statement, Version 1.1.1 Other documents GeoTrust Subscriber Agreement GeoTrust Relying Party Agreement GeoTrust Reseller Agreement GeoTrust EnterpriseSSL Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=409236 https://bugzilla.mozilla.org/show_bug.cgi?id=517242

This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects.

CRL DV, OV GeoTrust Certification Practice Statement, Version 1.1.2 Other documents GeoTrust Subscriber Agreement GeoTrust Relying Party Agreement GeoTrust Reseller Agreement GeoTrust EnterpriseSSL Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=484899 https://bugzilla.mozilla.org/show_bug.cgi?id=517234

This CA issues a CA certificate to the subordinate CA GeoTrust Extended Validation SSL CA, which in turn issues Extended Validation certificates for SSL-enabled servers.

CRL http://EVSSL-ocsp.geotrust.com/ EV (policy OID 1.3.6.1.4.1.14370.1.6) GeoTrust Certification Practice Statement, Version 1.0 (January 31, 2008) Other documents https://bugzilla.mozilla.org/show_bug.cgi?id=407168 https://bugzilla.mozilla.org/show_bug.cgi?id=424169 https://bugzilla.mozilla.org/show_bug.cgi?id=424171 Note that for compatibility reasons GeoTrust has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter GeoTrust EV certificates then they will end up treating this CA as a subordinate CA under the existing Equifax Secure CA root.

Go Daddy operates a commercial CA based in the US and serving customers worldwide.

KPMG Independent Accountants' Report

This new root will eventually replace the “Go Daddy Class 2 CA” root cert that is currently included in NSS. The “Go Daddy Class 2 CA” root has a single internally-operated subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.godaddy.com/ DV, OV, EV (policy OID 2.16.840.1.114413.1.7.23.3) Repository of certs and policies CP and CPS Relying Party Agreement Subscriber Agreement Premium EV Subscriber Agreement Code Signing Subscriber Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=527056 https://bugzilla.mozilla.org/show_bug.cgi?id=632461 https://bugzilla.mozilla.org/show_bug.cgi?id=632475 Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.

This new root will eventually replace the “Starfield Class 2 CA” root cert that is currently included in NSS. The “Starfield Class 2 CA” root has a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.starfieldtech.com DV, OV, EV (policy OID 2.16.840.1.114414.1.7.23.3) Repository of certs and policies CP and CPS Relying Party Agreement Subscriber Agreement Premium EV Subscriber Agreement Code Signing Subscriber Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=527056 https://bugzilla.mozilla.org/show_bug.cgi?id=632461 https://bugzilla.mozilla.org/show_bug.cgi?id=632475 Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.

This new self-signed root CA does not yet have subordinate CAs. Before issuing from this root, at least one appropriate, internally-operated subordinate issuing CA will be created.

CRL http://ocsp.starfieldtech.com DV, OV Repository of certs and policies CP and CPS Relying Party Agreement Subscriber Agreement Premium EV Subscriber Agreement Code Signing Subscriber Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=527056 https://bugzilla.mozilla.org/show_bug.cgi?id=632461 Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.startfieldtech.com/ DV, IV/OV, EV (policy OIDs 2.16.840.1.114413.1.7.23.3 and 2.16.840.1.114414.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=403437 https://bugzilla.mozilla.org/show_bug.cgi?id=418958 https://bugzilla.mozilla.org/show_bug.cgi?id=403437 Both of the CA certificates below are cross-signed to the Valicert Class 2 Policy Validation Authority root for legacy support, so this root is configured to enable EV with both of the EV OIDs associated with the other certificates.

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.godaddy.com/ DV, IV/OV, EV (policy OID 2.16.840.1.114413.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=284677 https://bugzilla.mozilla.org/show_bug.cgi?id=287495 https://bugzilla.mozilla.org/show_bug.cgi?id=418958

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.starfieldtech.com/ DV, IV/OV, EV (policy OID 2.16.840.1.114414.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=284677 https://bugzilla.mozilla.org/show_bug.cgi?id=287495 https://bugzilla.mozilla.org/show_bug.cgi?id=418958

Network Solutions is a US-based commercial CA with worldwide customer base.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

This CA has a subordinate CA, Network Solutions EV SSL CA, which issues Extended Validation certificates for SSL-enabled servers. At present there are no other subordinate CAs under this root; however in the future Network Solutions may establish additional subordinate CAs to issue non-EV certificates..

CRL IV/OV, EV (policy OID 1.3.6.1.4.1.782.1.2.1.8.1) Network Solutions Certification Practice Statement, Version 1.4.1 Certification Practice Statement (CPS) for Extended Validation (EV) Certification, Version 1.1 https://bugzilla.mozilla.org/show_bug.cgi?id=403915 https://bugzilla.mozilla.org/show_bug.cgi?id=431381 https://bugzilla.mozilla.org/show_bug.cgi?id=431384

Thawte is a subsidiary of Symantec. Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base.

KPMG Audit Report and Management's Assertions

This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects. thawte is not yet actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated.

CRL DV, OV Thawte Document Repository (English) Thawte CPS (English) https://bugzilla.mozilla.org/show_bug.cgi?id=409237 https://bugzilla.mozilla.org/show_bug.cgi?id=521869

CRL DV,OV Thawte Document Repository (English) Thawte CPS (English) https://bugzilla.mozilla.org/show_bug.cgi?id=484903 https://bugzilla.mozilla.org/show_bug.cgi?id=521869

This CA issues a CA certificate to the subordinate CAs thawte Extended Validation SSL CA and thawte Extended Validation SSL SGC CA, which in turn issue Extended Validation certificates for SSL-enabled servers.

CRL http://ocsp.thawte.com/ EV (policy OID 2.16.840.1.113733.1.7.48.1) thawte Certification Practice Statement, Version 3.5 (January 2008) https://bugzilla.mozilla.org/show_bug.cgi?id=407163 https://bugzilla.mozilla.org/show_bug.cgi?id=424152 https://bugzilla.mozilla.org/show_bug.cgi?id=424154 Code Signing trust bit enabled in NSS 3.13.6, Firefox 16 as per bug #601950. Note that for compatibility reasons thawte has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter thawte EV certificates then they will end up treating this CA as a subordinate CA under the existing Thawte Premium Server CA root.

Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use.

Deloitte and Touche LLP Audit Report and Management's Assertions Deloitte and Touche LLP Audit Report and Management's Assertions

This root was primarily created as the trust root for Entrust EV SSL certificates. EV certificates are issued using the Entrust Certification Authority - L1A subordinate CA.

CRL http://ocsp.entrust.net OV, EV (policy OID 2.16.840.1.114028.10.1.2) Entrust SSL Web Server Certification Practice Statement, Version 2.06 Entrust Certificate Services Certification Practice Statement for Extended Validation (EV) SSL Certificates, Version 1.01 Entrust Extended Validation Business Practices https://bugzilla.mozilla.org/show_bug.cgi?id=382352 https://bugzilla.mozilla.org/show_bug.cgi?id=387892 https://bugzilla.mozilla.org/show_bug.cgi?id=416544

SwissSign AG is a commercial CSP that provides certification services for individual and corporate customers. SwissSign operates the certificate authority for the Swiss Post and is mostly focused on Switzerland but Registration Services may be used internationally. The "Platinum G2" Root CA currently has 3 subordinate CAs, the "Gold G2" Root CA has 2 and the "Silver G2" Root CA has 3.

KPMG Swiss Accreditation Service Certified Bodies List SAS details for SwissSign KPMG Confirmation Notice of WebTrust EV Audit

The SwissSign Platinum CA - G2 root has three subordinate CAs. The SwissSign Qualified Platinum CA - G2 issues "qualified" certificates according to Swiss digital signature law (ZertES). The SwissSign Personal Platinum CA - G2 issues certificates for natural persons and organizations. The Swiss Post Platinum CA - G2 issues the "Postzertifikat", a product of the Swiss Post. (Note that each of the subordinate CAs has its own CP/CPS separate from the CP/CPS of the root.) The Platinum CAs require that keys be generated on Secure Signature Creation Devices (SSCDs); since such devices are not used with servers, this hierarchy is enabled for email and object signing uses only.

CRL http://ocsp.swisssign.net/34C58C2353ADD6DEE70092B06BFA269451CA07E4 IV SwissSign Platinum Root CP/CPS SwissSign Qualified Platinum CP/CPS SwissSign Personal Platinum CP/CPS Swiss Post Platinum CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

The "Gold G2" root CA currently has two subordinate CAs: "Personal" issues certificates for natural persons and organizations, while "Server" issues certificates for systems. This root CA may also operate other customer-specific Issuing CAs if and only if they fully comply with all the stipulations of the "Gold G2" CP/CPS.

CRL http://ocsp.swisssign.net/0E414F33ED1FEE8DAF6A1916B706D286B253008A IV, OV, EV (policy OID 2.16.756.1.89.1.2.1.1) SwissSign Gold CP/CPS R4 End User Agreement R4 SwissSign Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396 https://bugzilla.mozilla.org/show_bug.cgi?id=492077

The "Silver G2" root CA currently has three subordinate CAs: "Personal" issues certificates for natural persons and organizations, "Server" issues certificates for systems, and "Switch" is operated for a customer that issues certificates for the academic community

CRL http://ocsp.swisssign.net/A5045DFC48B74304F31B3B90ACB036034D6AC84F IV SwissSign Silver CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

IdenTrust is a for-profit corporation serving the private, commercial and government sectors.

Ernst and Young Audit Report and Management's Assertions

CRL http://ocsp.digsigtrust.com DV TrustID CP v1.3.1 IdenTrust CPS v2.2 https://bugzilla.mozilla.org/show_bug.cgi?id=359069 https://bugzilla.mozilla.org/show_bug.cgi?id=394733

CRL https://ocspaces.trustdst.com DV Certificate Policy v20040506_1 Certificate Practice Statement v4.1 https://bugzilla.mozilla.org/show_bug.cgi?id=359069 https://bugzilla.mozilla.org/show_bug.cgi?id=394733

ANSSI is the French Network and Information Security Agency, a part of the French Government. It issues certificates to French Government websites which are used by the general public. Each department has a sub CA; there are at least 20 at the moment, and potentially up to 60. Note: The O of the root is PM/SGDN. SGDN stands for "Secrétariat général de la Défense nationale", which is now named "Secrétariat général de la défense et de la sécurité nationale" (SGDSN). The OU of the root is DCSSI which stands for "Direction Centrale de la sécurité des systèmes d'information". The name of the organizational unit has been changed to "Agence nationale de la sécurité des systèmes d'information" (ANSSI).

French Secretariat GÈnÈral de la DÈfense Nationale Official decision for IGC/A homologation

This is the root certificate of the French Government CA. The IGC/A root issues a subordinate CA for each organization, which can be only a government or an administrative organization. Each of these subordinate CAs may issue end-entity certificates or additional subordinate CAs to be used for divisions within that organization. Each organization is required to follow the CP and the Government RGS/PRIS, and be audited.

CRL OV Policies and other useful information specific to this root Certificate Policy Repository General Security (RGS) Website Documents relating to the use of certificates: all RGS_A Variables de temps (for CRL frequency update) PC-Type authentification Profiles de certificats, LCR et OCSP PC-type signature https://bugzilla.mozilla.org/show_bug.cgi?id=368970 https://bugzilla.mozilla.org/show_bug.cgi?id=477147

Microsec e-Szignó is a Hungarian certificate authority.

Hungarian Government National Communications Authority Authority statement

CRL for this root List of CRLs OV Certificate Hierarchy in English CPS in English Qualified Certificate CPS ETSI TS 101.456, QCP public CP ETSI TS 101.456, SSCD CP Non-qualified Certificates CPS (electronic signatures) ETSI TS 102.042, NCP+ CP ETSI TS 102.042, NCP CP ETSI TS 102.042, NCP and ETSI TS 102.042, LCP CP Non-qualified Certificates CPS (other uses) https://bugzilla.mozilla.org/show_bug.cgi?id=370505 https://bugzilla.mozilla.org/show_bug.cgi?id=483852

This is a new, SHA256, version of the Microsec SHA1 root that is already included in NSS. The new root has a new DN and a new key. Microsec plans to operate the two roots simultaneously for some years, and the old one shall be phased out afterwards. Under the new root, Microsec issues certificates with an OCSP service usable for the general public.

CRL for this root List of CRLs http://a3ocsp2009.e-szigno.hu OV Certificate Hierarchy in English CPS in Hungarian, v2.0 CPS in English, v1.6 Microsec CP and CPS documents https://bugzilla.mozilla.org/show_bug.cgi?id=510506 https://bugzilla.mozilla.org/show_bug.cgi?id=557904

Deutscher Sparkassen Verlag GmbH (S-TRUST) is the world's largest smartcard provider and the central certification service provider for all German savings banks. This CA exists to enable up to 40 million German customers (end-users) to use their banking card as a certificate based signature, encryption and authentication device.

TÜV-IT ETSI TS 101.456 Certificate TÜV-IT ETSI TS 102.042 Certificate

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp-q.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627 https://bugzilla.mozilla.org/show_bug.cgi?id=478573

WISeKey operates the CertifyID Trust Service, which supports customer-specific CAs under a CA hierarchy rooted at the WISeKey Global Root GA CA and containing Policy CAs (subordinate to the root) and Issuing CAs (subordinate to the Policy CAs). Note that all end-entity certificates are issued by the Issuing CAs under policies set by WISeKey.

WTE y E. Álvarez Auditores, S.L. Audit Report and Management's Assertions WTE y E. Álvarez Auditores, S.L. 2008 Audit Report and Management's Assertions

As noted above, the Global Root GA CA is the one and only root for the entire CertifyID system. It issues CA certificates to Policy CAs, which in turn issue CA certificates to Issuing CAs. There are three types of Policy CAs (Standard, Advanced, and Qualified) and three types of Issuing CAs corresponding to these, each issuing a different class of certificates; verification requirements for applicants vary by class.

CRL IV OISTE WISeKey Root CPS 1.01 CertifyID Identity Validation Overview, Version 1.0 Technical Security Controls WD0011 - Version 1.0.1 Table comparing the three different classes of end-entity certificates issued by Issuing CAs. https://bugzilla.mozilla.org/show_bug.cgi?id=371362 https://bugzilla.mozilla.org/show_bug.cgi?id=467138 Note that the CPS for the root CA addresses only procedures related to issuance of certificates for its subordinate CAs. Issues related to issuance of end entity certificates are addressed in the other two documents references, in particular the CPS for the Advanced Services Issuing CA.

T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions

CRL OV Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=378882 https://bugzilla.mozilla.org/show_bug.cgi?id=487647

T-Systems plans to offer certificates with a high security level (e.g. EV) chaining up to this “T-TeleSec GlobalRoot Class 3” root. High security level services for email and code signing will also be created, and the corresponding Sub-CAs will be operated under this Class 3 root. This Class 3 root will only have internally-operated subordinate CAs. T-Systems currently offers certificates with a standard security level (e.g. OV) chaining up to the currently included “Deutsche Telekom Root CA 2” root. All of those standard security services will eventually chain up to a “T-TeleSec GlobalRoot Class 2” root. Inclusion of the “T-TeleSec GlobalRoot Class 2” root is not currently part of this request.

CRL http://ocsp.telesec.de/ocspr EV (Policy OID 1.3.6.1.4.1.7879.13.24.1) Document Repository ServerPass CP/CPS (German) ServerPass CP/CPS v1.1 (English) CP (English) CP (German) CPS (English) CPS (German) https://bugzilla.mozilla.org/show_bug.cgi?id=669849 https://bugzilla.mozilla.org/show_bug.cgi?id=760297 https://bugzilla.mozilla.org/show_bug.cgi?id=760313

TC TrustCenter is a subsidiary of Symantec. TC TrustCenter is based in Germany, with customers in all major regions of the world. TC TrustCenter offers a variety of products and services including SSL Server certificates and Email certificates.

TÜV-IT Germany ETSI TS 102.042 LCP Certificate TÜV-IT Germany ETSI TS 102 042 V2.1.1 EV Certificate

This root will have an internally-operated subordinate CA for each registration strength; “Class 1”, “Class 2”, “Class 3” and “Class 4 EV”. This root currently has one Class 4 EV subordinate CA, “TC TrustCenter Class 4 Extended Validation CA I”, which will only issue EV certificates. This new root will co-exist with the “TC TrustCenter Universal CA I” root that is currently included in NSS. This new root will effectively replace the "TC Universal CA II" root which was not included in NSS. For this new root, TC TrustCenter generated a new key (supervised by their auditor) to be compliant with the CA/B Forum guidelines.

CRL http://ocsp.tcuniversal-iii.trustcenter.de OV, EV (policy OID 1.2.276.0.44.1.1.1.4) CPS (English) CPS (German) CPD (English) CPD (German) EV CPD (English) EV CPD (German) All TC TrustCenter root certs https://bugzilla.mozilla.org/show_bug.cgi?id=436467 https://bugzilla.mozilla.org/show_bug.cgi?id=593063 https://bugzilla.mozilla.org/show_bug.cgi?id=593067

This root has two internally-operated subordinate CAs which issue certificates for SSL, email, and code signing. This root also has an externally-operated subordinate CA which is used to issue device certificates and email certificates for internal use only. The device name and the email address belong to a company internal domain, so the ownership is guaranteed.

CRL http://ocsp.tcclass2-ii.trustcenter.de OV http://ocsp.tcclass1.trustcenter.de/ Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

This root has one internally-operated subordinate CA which issues certificates for SSL, email, and code signing.

CRL http://ocsp.tcclass3-ii.trustcenter.de OV Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

This root has been introduced to reduce the number of root certificates in the trusted root stores. This root will have internally-operated subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates.

CRL http://ocsp.tcuniversal-i.trustcenter.de OV Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

Dhimyotis services include Certigna ID and Certigna SSL. Certigna is a French CA for the European market and expects to expand to serve other countries (India, USA, South America ... ) soon.

LSTI - La Sécurité des Technologies de l'Information Statement of Compliance with ETSI TS 102.042 LSTI - La Sécurité des Technologies de l'Information 2008 Statement of Compliance with ETSI TS 102.042

The Certigna root has three internally operated subordinated CA’s: Certigna SSL is for SSL-enabled servers, Certigna ID is for authentication and digitally-signed email, and Certigna Chiffrement is for encrypting email.

CRL for the SSL Subordinate CA CRL for the ID Subordinate CA IV/OV Public Portion of CPS Translated Portion of CPS Translated Portion of Code Signing CPS Certificate Policy for SSL Subordinate CA Certificate Policy for ID Subordinate CA http://bugzilla.mozilla.org/show_bug.cgi?id=393166 https://bugzilla.mozilla.org/show_bug.cgi?id=483889

SECOM Trust Services Co., Ltd are a commercial CA based in Japan.

Deloitte Touche Tohmatsu LLC Audit Report and Management’s Assertions

This is the SHA256 version of the Security Communication RootCA1 (SHA1) root certificate that is currently in NSS. It will have separate intermediate CAs for signing certificates for SSL, EV SSL, email, and code signing. Not requesting EV treatment at this time.

CRL OV Diagram showing relation of documents Documents relating to this root CPS (Japanese) CP (Japanese) SECOM CA Service Passport for Web SR 2.0 Certificate Policy (Japanese) SECOM Passport for Web EV Certificate Policy (Japanese) SECOM Passport for Web EV Certificate Policy (copy-and-paste enabled) EV Verification Document https://bugzilla.mozilla.org/show_bug.cgi?id=527419 https://bugzilla.mozilla.org/show_bug.cgi?id=680979

This request is to add a newly constructed EV root to the NSS database. Note that there is currently a non-EV CA called Security Communication RootCA1 in the NSS database.

CRL EV (policy OID 1.2.392.200091.100.721.1) Diagram showing relation of documents Documents relating to this root CPS (Japanese) CP (Japanese) SECOM CA Service Passport for Web SR 2.0 Certificate Policy (Japanese) SECOM Passport for Web EV Certificate Policy (Japanese) SECOM Passport for Web EV Certificate Policy (copy-and-paste enabled) EV Verification Document https://bugzilla.mozilla.org/show_bug.cgi?id=394419 https://bugzilla.mozilla.org/show_bug.cgi?id=477134 https://bugzilla.mozilla.org/show_bug.cgi?id=477145

Sociedad Cameral de Certificación Digital - Certicámara S.A. is a commercial CA primarily serving Colombia and Andean Region

Deloitte and Touche Audit Report and Management's Assertions

This is a new root CA certificate authorized by Industry and Commerce Department of Colombia, to replace the Certificado Empresarial Clase-A certificate. It has one internally operated subordinate CA.

CRL OV Certificate Hierarchy Certification Practices Statement (CPS) – in Spanish Declaration of Practices http://bugzilla.mozilla.org/show_bug.cgi?id=401262 http://bugzilla.mozilla.org/show_bug.cgi?id=486424

ComSign is a private company owned by Comda, Ltd., a company specializing in information protection products and solutions. In 2003, ComSign was appointed by the Justice Ministry as a certificate authority in Israel in accordance with the Electronic Signature Law 5761-2001, and is currently the only entity issuing legal authorized electronic signatures according to the Israel law. ComSign has issued electronic signatures to thousands of business people in Israel.

The State of Israel – Ministry of Justice Registered CA Sharony-Shefler Audit Statement 2009

This root has six internally-operated subordinate CAs that are used for issuing digital IDs to individuals and corporations in accordance with the Israeli Electronic Signature Law.

CRL IV, OV Cert Hierarchy Diagram Links to CPSs in Hebrew and English CPS in English https://bugzilla.mozilla.org/show_bug.cgi?id=420705 https://bugzilla.mozilla.org/show_bug.cgi?id=490487

This root has two internally-operated subordinate CAs that are used for issuing certificates for SSL and for code-signing.

CRL OV Cert Hierarchy Diagram Links to CPSs in Hebrew and English CPS in English Security Certificate Approval Regulations For SSL Websites in English https://bugzilla.mozilla.org/show_bug.cgi?id=420705 https://bugzilla.mozilla.org/show_bug.cgi?id=490487

Wells Fargo is a public CA based in San Francisco, California, and serving customers worldwide. This EV CA was created for the purpose of creating an online/intermediate EV SSL issuing authority which will be managed internally, and follow the WellsSecure CPS.

KPMG Audit Report and Management's Assertions KPMG Audit Report and Management's Assertions

Root CA with one internal subordinate CA issuing EV SSL certificates.

CRL http://validator.wellsfargo.com/ EV (policy OID 2.16.840.1.114171.500.9) WellsSecure PKI Certificate Policy http://bugzilla.mozilla.org/show_bug.cgi?id=428390 https://bugzilla.mozilla.org/show_bug.cgi?id=449393 https://bugzilla.mozilla.org/show_bug.cgi?id=449394

Verizon Business Security Solutions Powered by Cybertrust operates a commercial certificate authority service for businesses and governments internationally.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions

This root was created to provide a service to customers desiring a root based outside the United States. Relying on the GTE CyberTrust Global Root for ubiquity through cross-certification, this root is used for issuance of EV SSL certificates. There is currently only one internally-operated subordinate CA called Cybertrust SureServer EV CA. The CPS allows for this root to have other subordinate CAs in the future. The sub-CAs are required to follow the CPS and to have regular audits.

CRL EV (policy OID 1.3.6.1.4.1.6334.1.100.1) Cybertrust CA Certificate Policy Certification Practice Statement http://bugzilla.mozilla.org/show_bug.cgi?id=430700 https://bugzilla.mozilla.org/show_bug.cgi?id=493258 https://bugzilla.mozilla.org/show_bug.cgi?id=493259

Kamu Sertifikasyon Merkezi is the one government CA in Turkey that has authorization to issue certificates to government entities. They are also authorised to issue to commercial companies.

Turkish Information and Communications Technologies Authority (ICTA) ICTA statement of ETSI compliance

CRL http://ocsp.kamusm.gov.tr DV, IV CP CPS https://bugzilla.mozilla.org/show_bug.cgi?id=381974 https://bugzilla.mozilla.org/show_bug.cgi?id=499705

E-TUGRA is the EBG Informatics Technologies and Services Corporation. E-TUGRA is a privately held CA operating in Ankara, Turkey, with customers from all geographic areas within Turkey. E-TUGRA has been certified as one of the four authorized CAs that issues qualified certificates as well as SSL and other types of certificates to public in Turkey.

Turkish Information and Communications Technologies Authority (ICTA) ICTA statement of ETSI compliance

From this root CA E-TUGRA has issued two internally-operated subordinate CAs. The Qualified Certificate (QC) subordinate CA issues certificates for Digital Signing and Non-Repudiation (document and email signing). The Non Qualified Certificate (NQC) subordinate CA (EBG Web Sunucu Sertifika Hizmet Sağlayıcısı) issues certificates for SSL, email encryption, and code signing.

CRL http://ocsp.e-tugra.com/status/ OV Non Qualified (NQC) CP/CPS in English Qualified (QC) CP/CPS in English https://bugzilla.mozilla.org/show_bug.cgi?id=443653 https://bugzilla.mozilla.org/show_bug.cgi?id=509440

Chunghwa Telecom (CHT) chiefly provides telecommunication and information-related services. A public corporation, CHT is the largest integrated telecommunication operator in Taiwan.

Sun Rise CPA Firm of DFK International Audit Report and Management's Assertions

This is the eCA root, which has two subordinate CAs: CHTCA and Public CA. The CHTCA is the internal CA of Chunghwa Telecom (CHT) which signs certificates for CHT employees. The Public CA signs certificates for CHT clients.

CRL DV, OV CHT Certificate Repository ePKI CP eCA CPS Public CA CPS https://bugzilla.mozilla.org/show_bug.cgi?id=448794 https://bugzilla.mozilla.org/show_bug.cgi?id=496193 In the eCA CPS the term cross-certificate means a certificate used to establish a trust relationship between two CAs. Within the ePKI the cross-certificate is intended to mean subordinate CA. All subordinate CAs are operated by the Data Communication Business Group, which is a division of Chunghwa Telecom.

certSIGN is operated by SC CERTSIGN srl, a private corporation. certSIGN is a company member of UTI Group and an accredited supplier of certification services. certSIGN solutions are developed integrally in Romania.

Ernst and Young Audit Report and Management's Assertions

This root issues internally-operated subordinate CAs for different classes of certificates based on use and verification requirements.

CRL http://ocsp.certisgn.ro OV Certification Policy in English Certification Practice Statement in English Download Links of Subordinate CAs https://bugzilla.mozilla.org/show_bug.cgi?id=470756 https://bugzilla.mozilla.org/show_bug.cgi?id=526532

In Japan there are two root CAs, one is GPKI (Government Public Key Infrastructure) and the other one is LGPKI (Local government public Key Infrastructure). GPKI is controlled by the Ministry of Internal Affairs/Communications and National Information Security Center, and it is separate from Local government sectors. The Japanese government decided to centralize to GPKI from each of the ministry's certification systems and it has finished migration on Oct, 2008.

Deloitte Touche Tohmatsu Audit Report and Management's Assertions (Japanese) Audit Report and Management's Assertions (English)

This root is operated by the national government of Japan. It issues server certificates and code signing certificates to national government agencies. This root issues end-entity certificates directly, and does not have any subordinate CAs.

CRL IV/OV ApplicationCA Info CP/CPS in English CP/CPS in Japanese https://bugzilla.mozilla.org/show_bug.cgi?id=474706 https://bugzilla.mozilla.org/show_bug.cgi?id=523434

China Internet Network Information Center (CNNIC), the state network information center of China, is a non-profit organization. CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business, while it is administratively operated by the Chinese Academy of Sciences (CAS). The CNNIC Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community, supervises and evaluates the structure, operation and administration of CNNIC. The objective customers of the CNNIC root are domain owners from general public, including enterprise, government, organization, league, individual, etc.

Ernst and Young Audit Report and Management's Assertions

This root has one internally-operated subordinate CA named CNNIC SSL, which offers only SSL certificates that may be issued to general public, including enterprise, government, organization, league, individual, etc.

CRL OV Policies of the CNNIC Trusted Network Service Center English CPS of the CNNIC Trusted Network Service Center https://bugzilla.mozilla.org/show_bug.cgi?id=476766 https://bugzilla.mozilla.org/show_bug.cgi?id=525008

Buypass AS is a public corporation and a leading supplier of secure solutions for electronic identification, electronic signatures and payment in the Nordic countries. Buypass solutions are delivered via the Internet, mobile phones, POS terminals and company internal networks. Buypass has issued electronic IDs to over 2 million of Norway's inhabitants. Buypass is registered with the Post and Telecommunications Authority as the issuer of the qualified ID according to the law on electronic signature. The company is the market leading ID supplier within e-Government services in Norway, provides identification services to all government departments, over 70% of the country’s primary health care services and the entire customer base of the Norsk Tipping (the Norwegian national Lottery).

KPMG Audit Report and Management's Assertions

This root signs end-entity certificates directly, and does not have subordinate CAs. Buypass Class 2 certificates are issued to persons or enterprises and have the same basic usage areas as Class 3 certificates. The Class 2 CP has, however, less strict requirements with respect to identification of the requesting party than Class 3 certificates.

CRL https://ocsp.prod.buypass.no/BPClass2 OV CP and CPS Buypass Class 2 SSL Certificate Policy in English Buypass Class 2 SSL Certificate Practice Statement in English https://bugzilla.mozilla.org/show_bug.cgi?id=477028 https://bugzilla.mozilla.org/show_bug.cgi?id=499712

This root signs end-entity certificates directly, and does not have subordinate CAs. The Buypass Class 3 certificates are either issued to persons or enterprises. The certificates may be used for authentication purposes, encryption/decryption and/or electronic signatures (non-repudiation). The certificates are part of an infrastructure provided by Buypass AS enabling electronic commerce in Norway. The certificates are used by many different service providers ranging from purely commercial companies to governmental and other public institutions including the health sector. Extended Validation SSL certificates will be issued exclusively by Class 3 CA.

CRL https://ocsp.prod.buypass.no/BPClass23 OV, EV (Policy OID 2.16.578.1.26.1.3.3) CP and CPS Buypass Class 3 SSL Certificate Policy in English Buypass Class 3 SSL Certificate Practice Statement in English https://bugzilla.mozilla.org/show_bug.cgi?id=477028 https://bugzilla.mozilla.org/show_bug.cgi?id=499712 https://bugzilla.mozilla.org/show_bug.cgi?id=499716

This root has two internally-operated subCAs which sign end-entity certificates. Buypass Class 2 certificates are issued to natural persons or enterprises and have the same basic usage areas as Class 3 certificates. The Class 2 CP has, however, less strict requirements with respect to identification of the requesting party than Class 3 certificates. The "Buypass Class 2 CA 1" root certificate is currently included in NSS, as per bug #477028.

CRL http://ocsp.buypass.no/ocsp/BPClass2CA2 OV Document Repository Class 2 CP (English) Class 2 CPS (English) https://bugzilla.mozilla.org/show_bug.cgi?id=685128 https://bugzilla.mozilla.org/show_bug.cgi?id=752103

This root has two internally-operated subCAs which sign end-entity certificates. The Buypass Class 3 qualified certificates are issued to natural persons and the enterprise certificates are issued to organizations. The certificates may be used for authentication purposes, encryption/decryption and/or electronic signatures (non-repudiation). The certificates are part of an infrastructure provided by Buypass AS enabling electronic commerce in Norway. The certificates are used by many different service providers ranging from purely commercial companies to governmental and other public institutions including the health sector. Extended Validation and Business SSL certificates are issued exclusively by the Buypass Class 3 CA. The "Buypass Class 3 CA 1" root certificate is currently included in NSS, as per bug #477028.

CRL http://ocsp.buypass.no/ocsp/BPClass3CA2 OV, EV (policy OID 2.16.578.1.26.1.3.3) Document Repository Class 3 CP (English) Class 3 CPS (English) https://bugzilla.mozilla.org/show_bug.cgi?id=685128 https://bugzilla.mozilla.org/show_bug.cgi?id=752103 https://bugzilla.mozilla.org/show_bug.cgi?id=752106

Hongkong Post is a government agency and is a recognized CA under the law of Hong Kong Special Administrative Region (HKSAR) of China, and has been issuing digital certificates under the e_Cert brand name to individuals and organizations of HKSAR since January 2000. Hongkong Post CA operations have been outsourced to E-Mice Solutions. This is documented in the CPS and the Management Assertions. The WebTrust audit covers both Hongkong Post and E-Mice CA operations.

PricewaterhouseCoopers Audit Report and Management Assertions

This root has only one direct subordinate, Hongkong Post e-Cert CA 1, which is the signer key and is used to issue different types of recognized e-Certs to individuals and organizations.

CRL OV Certificate Practice Statement for e-Certs https://bugzilla.mozilla.org/show_bug.cgi?id=408949 https://bugzilla.mozilla.org/show_bug.cgi?id=541499

SK (Certification Centre, legal name AS Sertifitseerimiskeskus) is a commercial CA, covering the Baltic region (Estonia, Lithuania, Latvia). SK is Estonia's primary certification authority, providing certificates for authentication and digital signing to Estonian ID Cards. Established in 2001, SK has the backing of Estonian and Nordic financial and telecom sector. SK’s customers include the Estonian court system and notaries, Central Bank and commercial banks, and enforcement organisations (e.g. Police).

KPMG Estonia Audit Report

This root issues three types of internally operated subordinate CAs. The first type of subordinate CA is used to issue electronic ID cards which contain certificates for digital signature and for digital identification. The second type of subordinate CA is used to issue internal ID cards of the Republic of Estonia. The third type of subordinate CA is used to issue device and SSL certificates.

CRL OV Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=414520 https://bugzilla.mozilla.org/show_bug.cgi?id=532742

This is the renewed root cert that will eventually replace the “Juur-SK” root cert that was included in bug #414520. This new root will have the same CA hierarchy as the old “Juur-SK” root. The Juur-SK root has three types of internally operated subordinate CAs. The first type of subordinate CA is used to issue electronic ID cards which contain certificates for digital signature and for digital identification. The second type of subordinate CA is used to issue internal ID cards of the Republic of Estonia. The third type of subordinate CA is used to issue device and SSL certificates.

CRL http://ocsp.sk.ee OV Document Repository Certificate Practice Statement (English) CP of Organisation Certificates (English) Certificate Policy for Device Certificates (Estonian) https://bugzilla.mozilla.org/show_bug.cgi?id=624356 https://bugzilla.mozilla.org/show_bug.cgi?id=795020

Staat der Nederlanden is the Netherlands national government CA. The Dutch governmental PKI hierarchy consists of 2 roots. This first root, Staat der Nederlanden Root CA, is already included in NSS. The second root is the next generation, Staat der Nederlanden Root CA – G2. The organization operating these roots is called Logius as of January 2010, it used to be called GBO.Overheid. Logius is the digital government service of the Netherlands Ministry of the Interior and Kingdom Relations (BZK).

KPMG Audit Report and Management Asserstions

This is the next generation of the Staat der Nederlandend Root CA that is currently in the Mozilla store. The PKIoverheid issues two internally operated subordinate CAs, which issue subordinate CAs to CSPs. The CSPs are commercial and governmental organizations. Each CSP has to prove that it complies with ETSI TS 101 456 and the Dutch law on electronic signatures. CSPs must conclude a contract with a representative of a government organization or commercial company before issuing end-entity certificates. A request for a certificate is always signed by a specified representative of a government organization or commercial company.

CRL OV Description of PKI Overheid (English) Schedule of Requirements (Dutch) Certification Practice Statement of the Policy Authority PKI Overheid (Dutch) CP for CSPs (see Deel 2) List of CSPs Certificate Policy for employees of governmental organizations or commercial companies (see Deel 3a) Certificate Policy for SSL services of governmental organizations or commercial companies (see Deel 3b) Certificate Policy for personal use of civilians (see Deel 3c) https://bugzilla.mozilla.org/show_bug.cgi?id=436056 https://bugzilla.mozilla.org/show_bug.cgi?id=529874 The email trust bit was approved in bug #551399 and enabled in bug #670790.

Disig is a public Certification Service Provider, located in Slovakia. Disig is a member of international ASSECO Group, one of the strongest software houses in the CEE region. Asseco is a leader in selected IT segments in countries across Central and Eastern Europe.

Scientia Audit Statement

This root has no subordinate CAs, issuing end-entity certs for SSL, email, and code signing directly.

CRL OV CP Version 4.0 (Slovak) CPS Version 4.0 (Slovak) CP Version 3.4 (English) Disig Certification Authority Website Security Policy (Slovak) https://bugzilla.mozilla.org/show_bug.cgi?id=455878 https://bugzilla.mozilla.org/show_bug.cgi?id=539235

NetLock Ltd. is a qualified Certificate Authority in Hungary that issues certificates to organizations and individuals.

National Communications Authority, Hungary Statement of audit conformance in English Statement of the NCA that Netlock is a Qualified Service Provider CERT-Hungary Cover letter of the rDSP audit in Hungarian English Translation of part of the rDSP Audit Report

NetLock currently has four separate root CAs included in NSS. The redesigned equivalent of these existing roots will be created under this new root. The new root will sign seven internally-operated subordinate CAs. Two of those subordinate CAs will sign sub-CAs that will be externally-operated by MKB (Hungarian Trade Bank) and MNB (National Bank of Hungary).

CRL for Class B http://ocsp1.netlock.hu/gold.cgi OV CA Hierarchy Practice Statements and Terms of Agreements in Hungarian CPS in English Verification Practice for Non-Qualified certificates Non-qualified certificate CRL and OCSP profile definitions Certificate Issuance Practice Statement https://bugzilla.mozilla.org/show_bug.cgi?id=480966 https://bugzilla.mozilla.org/show_bug.cgi?id=532201

Japan Certification Services, Inc. (JCSI) is a commercial CA whose primary market is Japan. Some of the relying parties are outside Japan, such as US, Canada, European countries, and Asia.

Ernst and Young ShinNihon LLC Audit Report and Management’s Assertions

This root has one internally-operated subordinate CA for issuing SSL certificates to the public. In the future, JCSI plans to add other internally-operated subordinate CAs for S/MIME, Time Stamping, and other certificate types.

CRL OV Repository CP/CPS in English https://bugzilla.mozilla.org/show_bug.cgi?id=496863 https://bugzilla.mozilla.org/show_bug.cgi?id=542798

The Edicom Certification Authority (ACEDICOM) provides companies, communities and physical persons with secure electronic identification mechanisms that enable them to engage in activities where the digital signature replaces the handwritten with identical legal guarantees. To this end, ACEDICOM issues certificates in accordance with the stipulations of Directive 1999/93/EC of 13th December 1999 and Law 59/2003 of 19th December, on electronic signature, and so has sufficient recognition to operate in all countries of the European Union. The Edicom CA is responsible for obtaining the corresponding official authorisation in those places outside the Union where it operates commercially.

Ernst and Young Audit Report and Management's Assertsions

This root has three internally-operated subordinate CAs. The ACEDICOM 01 subordinate CA issues Qualified certificates for identification and advanced electronic signature, for the use of physical persons or legal organisations. The ACEDICOM 02 subordinate CA issues certificates for purposes other than Qualified electronic signature. The ACEDICOM Servidores subordinate CA issues server/client certificates and code signing certificates.

Root CRL http://ocsp.acedicom.edicomgroup.com/acedicom01 OV CPS in English CPS in Spanish Declaration of Certification Practices and Policies according to Certificate Type TLS Certificate Policy (in Spanish) https://bugzilla.mozilla.org/show_bug.cgi?id=471045 https://bugzilla.mozilla.org/show_bug.cgi?id=550521

E-Guven is a private corporation that serves certificates mainly the Turkish market and they plan to expand their market to other countries. E-Guven certificates are used in Public projects, such as www.turkiye.gov.tr, and Mobile Signature as well. E-Guven also develops B2B secure transaction projects.

Republic of Turkey Telecommunicatins Authority Audit Statement

This root certificate signs SSL certificates directly. Additionally, this root has the following three intermediate CAs: E-Guven Mobile CA issues mobile certificates for end users; E-Guven NES CA issues qualified electronic certificates for Turkish citizens; and E-Guven Secure Client Certificates issues Class 3 certificates. All of the intermediate CAs chaining up to this root are operated internally by e-Guven.

CRL http://ocsp2.e-guven.com/ocsp.xuda OV CA Hierarchy E-Guven Document Repository Qualified Electronic CP (GKNESI) in Turkish SSL Cert Application Basics (SUE) in Turkish https://bugzilla.mozilla.org/show_bug.cgi?id=476428 https://bugzilla.mozilla.org/show_bug.cgi?id=571932

Izenpe is owned by the government of the Basque country, Spain.

BSI Management Systems ETSI Certificate KPMG Audit Report and Management Assertions

This SHA256 root has five internally-operated subordinate CAs. One sub-CA issues EV SSL certs. Two of the sub-CAs are for Qualified certificates, one for Public Administration, and one for Citizens and Entities. There are also two sub-CAs for non-Qualified certificates, one for Public Administration and one for Citizens and Entities, which issue SSL Server, Email, and Code Signing certs.

CRL http://ocsp.izenpe.com:8097 OV, EV (Policy OID 1.3.6.1.4.1.14777.6.1.1) CA Hierarchy Links to CPS in Spanish, Basque, and English CPS in English CPS in Spanish Certificate Specific Documentation Procedures for EV SSL Secure Server Certificates (Spanish) Procedures for Secure Server Certificates (Spanish) Procedures for Code Signing Certificates (Spanish) Procedures for Corporate Certificates (Spanish) https://bugzilla.mozilla.org/show_bug.cgi?id=361957 https://bugzilla.mozilla.org/show_bug.cgi?id=578491 https://bugzilla.mozilla.org/show_bug.cgi?id=578499

AC Camerfirma S.A. is a commercial CA issuing certificates for companies primarily in Spain. Camerfirma is the digital certification authority for Chambers of Commerce in Spain.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions (Spanish) Audit Report and Management's Assertions (English)

This CA has internally-operated subordinate CAs that issue certificates for Spanish companies and representatives. Chambers of Commerce act as RAs for end user registration.

CRL http://ocsp.camerfirma.com OV, EV (Policy OIDs 1.3.6.1.4.1.17326.10.14.2.1.2 and 1.3.6.1.4.1.17326.10.14.2.2.2) Policy Repository Certificate Practice Statement (Spanish) Certification Policy Camerfirma Express Corporate Server (Spanish) Certification Policy for Camerfirma Corporate Server EV (Spanish) Certification Policy for Code Signing (Spanish) https://bugzilla.mozilla.org/show_bug.cgi?id=406968 https://bugzilla.mozilla.org/show_bug.cgi?id=562395 https://bugzilla.mozilla.org/show_bug.cgi?id=562399

This CA has internally-operated subordinate CAs that issue certificates for general use globally. Other companies act as RAs for end user registration.

CRL http://ocsp.camerfirma.com OV, EV (Policy OIDs 1.3.6.1.4.1.17326.10.8.12.1.2 and 1.3.6.1.4.1.17326.10.8.12.2.2) Policy Repository Certificate Practice Statement (Spanish) CP of RACER sub-CA (Spanish) Certification Policy Camerfirma Express Corporate Server (Spanish) Certification Policy for Camerfirma Corporate Server EV (Spanish) Certification Policy for Code Signing (Spanish) https://bugzilla.mozilla.org/show_bug.cgi?id=406968 https://bugzilla.mozilla.org/show_bug.cgi?id=562395 https://bugzilla.mozilla.org/show_bug.cgi?id=562399

Broader Certification Center (CERTUM) is an organizational unit of Unizeto Technologies SA, providing certification services related to electronic signatures. It is the oldest public certification authority in Poland and the commercial certification authority, operating on a global scale - serving customers in over 50 countries worldwide.

Ernst & Young Audit Report and Management’s Assertions Ernst & Young Audit Report and Management’s Assertions

This root currently has two internally-operated sub-CAs; the Certum Class 1 sub-CA signs 3 month test certs, and the Certum Extended Validation CA signs EV SSL certs. Eventually, the certificates under the old “Certum CA” root (included in NSS) will be moved to this new root. The sub-CAs of the “Certum CA” root are Certum Level I CA, Certum Level II CA, Certum Level III CA, Certum Level IV CA, and Certum Partners CA.

CRL http://evca.ocsp.certum.pl DV, OV, EV (policy OID 1.2.616.1.113527.2.5.1.1) Certum Cert and Document Repository CPS of CERTUM’s Non-Qualified Certification Services (English) CP of CERTUM’s Non-Qualified Certification Services (English) EV CP (English) https://bugzilla.mozilla.org/show_bug.cgi?id=532377 https://bugzilla.mozilla.org/show_bug.cgi?id=635385 https://bugzilla.mozilla.org/show_bug.cgi?id=635390

AffirmTrust is a wholly-owned subsidiary of Trend Micro, Inc. AffirmTrust offers certificates for web-based and mobile applications including microbanking, debit cards and smartcards, mobile phone applications, new media, cloud computing, social networking, etc.

Grant Thornton Audit Report Grant Thornton Audit Report

This root will sign internally-operated sub-CAs which will sign end-entity certificates. AffirmTrust initially plans to only issue EV SSL certificates, but may in the future issue DV SSL, OV SSL, email (S/MIME), and code signing certificates under different sub-CAs.

CRL http://ocsp.affirmtrust.com/commev DV, OV, EV (Policy OID 1.3.6.1.4.1.34697.2.1) Trend Micro SSL document repository AffirmTrust document repository AffirmTrust Certification Practice Statement (English) AffirmTrust Relying Party Agreement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=543639 https://bugzilla.mozilla.org/show_bug.cgi?id=633546 https://bugzilla.mozilla.org/show_bug.cgi?id=633552

CRL http://ocsp.affirmtrust.com/ntwkev DV, OV, EV (Policy OID 1.3.6.1.4.1.34697.2.2) AffirmTrust document repository AffirmTrust Certification Practice Statement (English) AffirmTrust Relying Party Agreement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=543639 https://bugzilla.mozilla.org/show_bug.cgi?id=633546 https://bugzilla.mozilla.org/show_bug.cgi?id=633552

CRL http://ocsp.affirmtrust.com/premev DV, OV, EV (Policy OID 1.3.6.1.4.1.34697.2.3) AffirmTrust document repository AffirmTrust Certification Practice Statement (English) AffirmTrust Relying Party Agreement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=543639 https://bugzilla.mozilla.org/show_bug.cgi?id=633546 https://bugzilla.mozilla.org/show_bug.cgi?id=633552

CRL http://ocsp.affirmtrust.com/premeccev DV, OV, EV (Policy OID 1.3.6.1.4.1.34697.2.4) AffirmTrust document repository AffirmTrust Certification Practice Statement (English) AffirmTrust Relying Party Agreement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=543639 https://bugzilla.mozilla.org/show_bug.cgi?id=633546 https://bugzilla.mozilla.org/show_bug.cgi?id=633552

ACCV (Autoritat de Certificacio de la Comunitat Valenciana) is a CA operated by the government of the Valencia region of Spain. ACCV is a public certificate service provider and the intended use for this root certificate is to improve the electronic administration between citizens and the administration.

DNB Audit Report and Management's Assertions

This root has four internally-operated subordinate CAs which sign end-entity certificates for individuals and organizations.

CRL http://ocsp.pki.gva.es/ DV, IV ACCV Document Repository ACCV Certification Practice Statement (Spanish) ACCV Certification Policy Documents listed by certificate usage SSL CP (Spanish) Code Signing CP (Spanish) Qualified Certs CP for Public Employees (Spanish) Qualified Certs CP for Citizens (Spanish) http://bugzilla.mozilla.org/show_bug.cgi?id=274100 http://bugzilla.mozilla.org/show_bug.cgi?id=653761

Taiwan CA. Inc. (TWCA) is a commercial CA that provides a consolidated on-line financial security certificate service and a sound financial security environment, to ensure the security of on-line finance and electronic commercial trade in Taiwan.

SunRise CPAs’ Firm, a member firm of DFK Audit Report and Management's Assertsions

This root has four internally-operated subordinate CAs according to their application and usage.

CRL OV CA Hierarchy Diagram Document Repository TWCA UCA CPS (Chinese) TWCA UCA CPS (English) TWCA PKI Certificate Policy (Chinese) TWCA PKI Certificate Policy (English) TWCA Root CA Certification Practice Statement (Chinese) TWCA Root CA Certification Practice Statement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=518503 https://bugzilla.mozilla.org/show_bug.cgi?id=666681

A-Trust is an accredited TrustCenter in Austria issuing smartcard based qualified certificates for Austrian citizens used in eGovernment. A-Trust has been accredited according to the Austrian Signature Law by Telekom-Control-Kommission, the Austrian supervisory body. A-Trust’s product range comprises user certificates, developer certificates and corporate certificates as well as consultation services and support with the development of e-commerce and signature applications in accordance with the Directive 1999/93/EC.

Ernst & Young Audit Report and Management's Assertions Ernst & Young Audit Report and Management's Assertions

This root has internally-operated intermediate CAs that issue smartCard-based certificates to a natural person after a face-to-face identification (eg.: email), software certificates (pKCS#12), and server certificates (eg. SSL and EV SSL).

CRL http://ocsp.a-trust.at/ocsp OV, EV (Policy OID 1.2.40.0.17.1.22) Full list of CP documents SSL CP (German) EV SSL CP (German) Full list of CPS documents SSL CPS (German) EV SSL CPS (German) https://bugzilla.mozilla.org/show_bug.cgi?id=530797 https://bugzilla.mozilla.org/show_bug.cgi?id=661672 https://bugzilla.mozilla.org/show_bug.cgi?id=661681

Certinomis is a commercial CA that delivers certificates to the general public in France, and is the Certificate Service Provider of the French Postal Service.

LSTI ETSI Certificate

This root has internally-operated subordinate CAs: “Certinomis AC 1 étoile” (OV verification for SSL), “Certinomis AC 2 étoiles” (EV like verification for SSL), “Certinomis - Autorité de Test” (for internal testing only), “Certinomis Corporate” (discontinued).

CRL OV Document Repository CPS (French) Sections 2.1 and 3.4 of CPS (English) Root CP (French) CP Serveur SSL 1 étoile (French) Section 3.2 of CP Serveur SSL 1 étoile (English) CP Serveur SSL 2 étoiles (French) RA Procedures Document – PROC (French) Part of RA Procedures Document – PROC (English) https://bugzilla.mozilla.org/show_bug.cgi?id=545614 https://bugzilla.mozilla.org/show_bug.cgi?id=645880

CATCert is the Catalan Agency of Certification (Agència Catalana de Certificació). CATCert’s aim is to provide digital certification services and promote the usage of digital signature in order to make safer the communications within the Catalan government and the communications (within and for) the Catalan government.

Ernst and Young Audit Report and Management Assertions

This root has seven internally-operated subordinate CAs. The subordinate CAs are used to distinguish who the certificates are issued to. The EC-IDCAT certificates are issued to Catalan citizens. The EC-SAFP (a sub-CA of EG-GENCAT), EC-AL, and EC-PARLAMENT certificates are not issued to the general public, but only to the civil servants and computers or devices of the Regional Catalan government, the Catalan Government, and the Catalan Parliament. The EC-UR and EC-URV certificates are not issued to the general public, but to employees, students and computers or devices of Catalan universities and research centers connected to the “Anella Científica” group, and the Universitat Rovira i Virgili (URV).

CRL http://ocsp.catcert.net OV CA Hierarchy Diagram Document Repository (Catalan) Certification Policy (Catalan) Certification Policy Section 3 (English) Declaración de Prácticas de Certificación (DPC) for each sub-CA (Catalan) Operative Procedure (Catalan) https://bugzilla.mozilla.org/show_bug.cgi?id=295474 https://bugzilla.mozilla.org/show_bug.cgi?id=707995

The main goal of HARICA (Hellenic Academic and Research Institutions Certification Authority / Greek Universities Network) is the deployment of an infrastructure for secure communication between the collaborating members of the Greek Academic and Research Institutions. All HARICA certificates have a clear mark indicating that the certificate is subject to Greek laws and their CPS.

Deventum Audit Statement

Certificates in this hierarchy may only be used for academic, research, or educational purposes. This root will eventually have the same subordinate CAs as HARICA's current MD5 root, which has several internally-operated sub-CAs, and one externally operated sub-CA. Each sub-CA is used for a different Academic or Research Institution and issues both user and server certificates.

CRL http://ocsp.harica.gr OV Certificate Practices Certification Policy and Certification Practices Statement (English) https://bugzilla.mozilla.org/show_bug.cgi?id=581901 https://bugzilla.mozilla.org/show_bug.cgi?id=711594

Actalis is a public CA offering PKI services to a wide number of customers, mainly banks and local government. Actalis is a Qualified certification service provider according to the EU Signature Directive (Directive 1999/93/EC). Actalis designs, develops, delivers and manages services and solutions for on-line security, digital signatures and document certification; develops and offers PKI-enabling components, supplies complete digital signature and strong authentication kits (including hardware and software), delivers ICT security consultancy and training.

DigitPA Audit Statement National Accredited Service Providers Audit Criteria (see section 1.3 re ETSI TS 101 456)

This new root certificate will eventually replace the Actalis Authentication CA G1 root certificate. It will sign internally-operated subordinate CAs which will sign end-entity certificates.

CRL http://portal.actalis.it/VA/AUTH-G2 OV Actalis Policy Documents CPS for SSL and Code Signing Certs (Italian) CPS for SSL and Code Signing Certs (English) https://bugzilla.mozilla.org/show_bug.cgi?id=520557 https://bugzilla.mozilla.org/show_bug.cgi?id=742525 https://bugzilla.mozilla.org/show_bug.cgi?id=742525

Trustis is a commercial CA operating primarily in the UK and Europe.

KPMG Audit Report and Management's Assertions

CRL OV Trustis Document Repository Trustis FPS Minimum Enrolment Requirements Trustis FPS Certificate Policy Trustis FPS Issuing Authority PKI Disclosure Statement Subscriber Agreement https://bugzilla.mozilla.org/show_bug.cgi?id=577665 https://bugzilla.mozilla.org/show_bug.cgi?id=742514