ACCV (Autoritat de Certificacio de la Comunitat Valenciana) is
a CA operated by the government of the Valencia region of Spain.
Seguridad y Sistemas de Informacion S.L.
Informe de Auditoria Independiente
CRL
http://ocsp.pki.gva.es/
DV, IV
Declaracion de Practicas de Certificacion (CPS) de la ACCV, v1.7 in Spanish
Certification policies and practices for the different types of certs (Spanish)
http://bugzilla.mozilla.org/show_bug.cgi?id=274100
Korea Information Security Agency (KISA) is the
Electronic Signature Authorization Management Center for South
Korea. The Korean Certification Authority Central (KCAC) of KISA
issues certificates to six (6) intermediate CAs ("licensed CAs"
or LCAs), which then issue end entity certificates to Korean
citizens, businesses, and other organizations.
Ministry of Information and Communication, Republic of Korea
Public statement by MIC re KISA/KCAC audit
Certificates are issued from this root only to KISA's 6
LCAs (Licensed CAs), not directly to end entities. Note that
this root is apparently being phased out in favor of the KISA
RootCA 1.
CRL
DV and IV
CPS 1.1 (English)
CPS 1.3 (Korean)
Certificate issuing procedure (Korean)
Web Server Security, Code-Signing, Secure E-mail Certificates Issuance Administration Guideline (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
Certificates are issued from this root only to KISA's 6
LCAs (Licensed CAs), not directly to end entities. Note that
this root CA is replacing CertRSA01.
CRL
DV and IV
CPS 1.1 (English)
CPS 1.3 (Korean)
Certificate issuing procedure
Web Server Security, Code-Signing, Secure E-mail Certificates Issuance Administration Guideline (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
Certificates are issued from this root only to KISA's 6
LCAs (Licensed CAs), not directly to end entities.
CRL
DV and IV
CPS 1.1 (English)
CPS 1.3 (Korean)
Certificate issuing procedure
Web Server Security, Code-Signing, Secure E-mail Certificates Issuance Administration Guideline (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
Deutscher Sparkassen Verlag GmbH is the world's largest
smartcard provider and the central certification service
provider for all German savings banks. This CA exists to enable
up to 40 million German customers (end-users) to use their
banking card as a certificate based signature, encryption and
authentication device.
TÜV-IT
ETSI TS 101.456 Certificate
TÜV-IT
ETSI TS 102.042 Certificate
This root will provide all customers of the German
Savings Bank Financial Group with client certificates for
their signature-enabled debit cards (smartcards).
CRL
http://ocsp-q.s-trust.de
IV
Certification Practice Statement for the S-TRUST Network
https://bugzilla.mozilla.org/show_bug.cgi?id=370627
Not approved for inclusion.
This root will provide all customers of the German
Savings Bank Financial Group with client certificates for
their signature-enabled debit cards (smartcards).
CRL
http://ocsp-q.s-trust.de
IV
Certification Practice Statement for the S-TRUST Network
https://bugzilla.mozilla.org/show_bug.cgi?id=370627
Not approved for inclusion.
This root will provide all customers of the German
Savings Bank Financial Group with client certificates for
their signature-enabled debit cards (smartcards).
CRL
http://ocsp-q.s-trust.de
IV
Certification Practice Statement for the S-TRUST Network
https://bugzilla.mozilla.org/show_bug.cgi?id=370627
Not approved for inclusion.
The Telekom-Control Commission is the Austrian supervisory authority for electronic signatures. Its
responsibility includes supervision of all certification service providers
established in Austria. For every CA key used by an
Austrian certification service provider, the TKK issues a certificate to the
certification service provider. Based on these certificates, all certificates
issued by supervised Austrian certification service providers can be verified.
There are five subordinate CAs, each of which issues certificates for a different purpose.
Secure Information Technology Center - Austria
Conformity Assessment Statement
The TKK issues certificates to certification service providers who are
supervised according to the Austrian Electronic Signatures Act.
The corresponding private keys of certification service
providers are used for issuing certificates to end entities (signatories).
CRL
OV
Certificate
Policy
Certificate
Practice Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=373174
CRL doesn't work in Firefox - bug 133191.
VeriSign is a major commercial CA with worldwide
operations and customer base.
KPMG
Audit
Reports and Management's Assertions
This request is to EV-enable this SHA256 root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects. VeriSign is not yet
actively issuing certificates from this root, so they have not
yet published a CRL.
CRL
OV, EV (Policy OID 2.16.840.1.113733.1.7.23.6)
VeriSign Certification Practice Statement
VeriSign Trust Network Certificate Policies
CA Hierarchy Diagram
https://bugzilla.mozilla.org/show_bug.cgi?id=536318
https://bugzilla.mozilla.org/show_bug.cgi?id=515470
This request is to EV-enable this ECC root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects. VeriSign is not yet
actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will
be internally operated.
CRL
OV, EV (Policy OID 2.16.840.1.113733.1.7.23.6)
VeriSign Certification Practice Statement
VeriSign Trust Network Certificate Policies
CA Hierarchy Diagram
https://bugzilla.mozilla.org/show_bug.cgi?id=536318
https://bugzilla.mozilla.org/show_bug.cgi?id=515472
This root CA (also known as PCA1-G1-SHA1) has Signature Algorithm SHA-1.
This root will supersede the PCA1-G1 root that is already included
in NSS, which has Signature Algorithm MD2.
CRL
DV
VeriSign Certification Practice Statement
VeriSign Trust Network Certificate Policies
CA Hierarchy Diagram
https://bugzilla.mozilla.org/show_bug.cgi?id=490895
https://bugzilla.mozilla.org/show_bug.cgi?id=515462
This root CA (also known as PCA2-G1-SHA1) has Signature Algorithm SHA-1.
This root will supersede the PCA2-G1 root that is already included in
NSS, which has Signature Algorithm MD2.
This root does not have any active sub-CAs, but VeriSign wants the root to be included
to enable their customers to read thair archived S/MIME mail.
CRL
IV/OV
VeriSign Certification Practice Statement
VeriSign Trust Network Certificate Policies
CA Hierarchy Diagram
https://bugzilla.mozilla.org/show_bug.cgi?id=490895
As per Comment #40 in the bug,
VeriSign concurrs that this root does not need to be included in NSS.
This root CA (also known as PCA3-G1-SHA1) has Signature Algorithm SHA-1.
This root will supersede the PCA3-G1 root that is already included in
NSS, which has Signature Algorithm MD2.
CRL
http://ocsp.verisign.com
OV
VeriSign Certification Practice Statement
VeriSign Trust Network Certificate Policies
CA Hierarchy Diagram
https://bugzilla.mozilla.org/show_bug.cgi?id=490895
https://bugzilla.mozilla.org/show_bug.cgi?id=515462
The initial request was also to EV-enable this root. However, it was deteremined that EV-enablement was not necessary.
GeoTrust is a commercial CA with worldwide operations and
customer base; it is a subsidiary of VeriSign, Inc.
KPMG
Audit
Report and Management's Assertions
This request is to EV-enable this ECC root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects. GeoTrust is not yet
actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will
be internally operated.
CRL
DV, OV, EV (Policy OID 1.3.6.1.4.1.14370.1.6)
GeoTrust Certification Practice Statement, Version 1.1.2
Other documents
GeoTrust Subscriber Agreement
GeoTrust Relying Party Agreement
GeoTrust Reseller Agreement
GeoTrust EnterpriseSSL Agreement
https://bugzilla.mozilla.org/show_bug.cgi?id=539255
https://bugzilla.mozilla.org/show_bug.cgi?id=517242
This request is to EV-enable the SHA256 root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects.
CRL
DV, OV, EV (OID 1.3.6.1.4.1.14370.1.6)
GeoTrust Certification Practice Statement, Version 1.1.2
Other documents
GeoTrust Subscriber Agreement
GeoTrust Relying Party Agreement
GeoTrust Reseller Agreement
GeoTrust EnterpriseSSL Agreement
https://bugzilla.mozilla.org/show_bug.cgi?id=539255
https://bugzilla.mozilla.org/show_bug.cgi?id=517234
thawte is a commercial CA with worldwide operations and
customer base; it is a subsidiary of VeriSign, Inc.
KPMG
Audit
Report and Management's Assertions
This request is to EV-enabled this ECC root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects. thawte is not yet
actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will
be internally operated.
CRL
DV, OV, EV (Policy OID 2.16.840.1.113733.1.7.48.1)
Thawte Document Repository (English)
Thawte CPS (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=539257
https://bugzilla.mozilla.org/show_bug.cgi?id=521869
This request is to EV-enabled this SHA256 root which is currently included in NSS.
This CA will be used to sign certificates for SSL-enabled servers,
and may in the future be used to sign certificates for
digitally-signed executable code objects. thawte is not yet
actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will
be internally operated.
CRL
DV,OV, EV (Policy OID 2.16.840.1.113733.1.7.48.1)
Thawte Document Repository (English)
Thawte CPS (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=539257
https://bugzilla.mozilla.org/show_bug.cgi?id=521869
A-Trust is an accredited TrustCenter in Austria issuing smartcard based qualified
certificates for Austrian citizens used in eGovernment. A-Trust has been accredited
according to the Austrian Signature Law by Telekom-Control-Kommission, the Austrian
supervisory body.
A-Trust’s product range comprises user certificates, developer certificates and corporate
certificates as well as consultation services and support with the development of
e-commerce and signature applications in accordance with the Directive 1999/93/EC.
Ernst & Young
In Progress
The intermediate CAs below this CA issue smartCard-based certificates to a natural
person after a face-to-face identification (eg.: email), software certificates (pKCS#12), and
server certificates (eg. SSL) after domain-verification.
CRL
http://ocsp.a-trust.at/ocsp
DV, OV
SSL CP
SSL CPS
Full list of CPs
Full list of CPSes
https://bugzilla.mozilla.org/show_bug.cgi?id=530797
The intermediate CAs below this CA issue only qualified smartCard-based certificates
to a natural person after a face-to-face identification.
CRL
http://ocsp.a-trust.at/ocsp
IV
Full list of CPs
Full list of CPSes
https://bugzilla.mozilla.org/show_bug.cgi?id=373746
Bug #373746 was closed as Won't Fix due to lack of audit.
The intermediate CAs below this CA issue qualified smartCard-based certificates to a natural person after a face-to-face identification,
smartCard-based certificates to a natural person after a face-to-face identification (eg.: email), and
server certificates (eg. SSL) after domain-verification.
CRL
http://ocsp.a-trust.at/ocsp
DV, IV
Full list of CPs
Full list of CPSes
https://bugzilla.mozilla.org/show_bug.cgi?id=373746
Bug #373746 was closed as Won't Fix due to lack of audit.
The intermediate CAs below this CA issue smartCard-based certificates to a natural person after a face-to-face identification (eg.: email),
software certificates (pKCS#12), and
server certificates (eg. SSL) after domain-verification
CRL
http://ocsp.a-trust.at/ocsp
DV, IV
Full list of CPs
Full list of CPSes
https://bugzilla.mozilla.org/show_bug.cgi?id=373746
Bug #373746 was closed as Won't Fix due to lack of audit.
ARGE DATEN, the Austrian Society for Data Protection is a non-profit
non-governmental organisation. It is the Austrian market leader
in issuing certificates for eBilling. It operates subordinate CAs for eBilling,
SSL Server Certificates, SSL Client Certificates, and members of
governmental institutions.
This root certificate issues both end-user certificates and CA certificates.
It is the current root certificate of ARGE DATEN.
CRL
http://ocsp.a-cert.at
IV
A-CERT Certificate Policy v1.5
https://bugzilla.mozilla.org/show_bug.cgi?id=348987
This root certificate will not directly issue end-user certificates. It is used
to issue the subordinate CA certificates which in turn issue the end-user
certificates. This certificate is the
successor to the A-CERT ADVANCED root certificate.
CRL
http://ocsp.a-cert.at
IV
GLOBALTRUST Certificate Policy v1.2
https://bugzilla.mozilla.org/show_bug.cgi?id=348987
Trustis is a commercial CA operating primarily in the UK and Europe.
KPMG
Audit
Report and Management Assertions
tScheme
tScheme Grant of Approval
CRL
IV
Trustis FPS Root CP v1.04
PKI Disclosure Statement v1.04
Trustis CPS v1.1
https://bugzilla.mozilla.org/show_bug.cgi?id=324126
Izenpe is owned by the government of the Basque country, Spain.
BSI Management Systems
ETSI Certificate
KPMG
Audit Report and Management Assertions
This is the original root, which is still needed. This root has four
internally-operated subordinate CAs. There are two sub-CAs for Qualified
certificates, one for Public Administration, and one for Citizens and Entities.
There are also two sub-CAs for non-Qualified certificates, one for Public
Administration and one for Citizens and Entities, which issue SSL Server,
Email, and Code Signing certs.
CRL
http://ocsp.izenpe.com:8094
OV
CA Hierarchy
Links to CPS in Spanish, Basque, and English
CPS in English
CPS in Spanish
Certificate Specific Documentation
Procedures for EV SSL Secure Server Certificates (Spanish)
Procedures for Secure Server Certificates (Spanish)
Procedures for Code Signing Certificates (Spanish)
Procedures for Corporate Certificates (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=361957
This is the new root, signed with SHA-256.
This root has five internally-operated subordinate CAs.
One sub-CA issues EV SSL certs. Two of the sub-CAs are for Qualified certificates,
one for Public Administration, and one for Citizens and Entities. There are also
two sub-CAs for non-Qualified certificates, one for Public Administration and one
for Citizens and Entities, which issue SSL Server, Email, and Code Signing certs.
CRL
http://ocsp.izenpe.com:8094
OV, EV (Policy OID 1.3.6.1.4.1.14777.6.1.1)
CA Hierarchy
Links to CPS in Spanish, Basque, and English
CPS in English
CPS in Spanish
Certificate Specific Documentation
Procedures for EV SSL Secure Server Certificates (Spanish)
Procedures for Secure Server Certificates (Spanish)
Procedures for Code Signing Certificates (Spanish)
Procedures for Corporate Certificates (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=361957
TC TrustCenter GmbH is a commercial company based in Germany,
with customers in all major regions of the world. TC TrustCenter
offers a variety of products and services including SSL Server
certificates and Email certificates.
TÜV-IT Germany
ETSI TS 102 042 V2.1.1 EV Certificate
This root will eventually have an internally-operated subordinate CA for each registration
strength; “Class 1”, “Class 2”, “Class 3” and “Class 4”. This root currently has one
Class 4 subordinate CA, “TC TrustCenter Class 4 Extended Validation CA I”, which will
only issue EV certificates.
This new root will co-exist with the “TC TrustCenter Universal CA I” root that is
currently included in NSS.
This new root will effectively replace the "TC Universal CA II" root which was not
included in NSS. For this new root, TC TrustCenter generated a new key (supervised
by their auditor) to be compliant with the CA/B Forum guidelines.
CRL
http://ocsp.tcuniversal-iii.trustcenter.de
OV, EV (policy OID 1.2.276.0.44.1.1.1.4)
CPS (English)
CPS
CP (English)
CP
All TC TrustCenter root certs
https://bugzilla.mozilla.org/show_bug.cgi?id=436467
QuoVadis is a commercial CA, based in Bermuda and
operating globally. QuoVadis is a Qualified Certification
Services Provider in Switzerland.
Ernst & Young
(Technology and Security Risk Services)
Audit
Report and Management's Assertions
KPMG
Swiss
Accreditation Service statement
Ernst & Young
CA-supplied
auditor's letter re WebTrust EV audit
This root will be used for SSL/device certificates,
including standard "organisation validated" certificates as well
as EV certificates. The associated EV policy OID is
1.3.6.1.4.1.8024.0.2.100.1.2.
CRL
http://ocsp.quovadisglobal.com/
OV, EV
QuoVadis
Root CA2 CP/CPS v1.8
https://bugzilla.mozilla.org/show_bug.cgi?id=403665
https://bugzilla.mozilla.org/show_bug.cgi?id=418701
Note that this root CA certificate is already included
in the Mozilla list (per bug 365281). The present request is to
enable this CA certificate for EV.
DigiCert is a US-based commercial CA with headquarters in Lindon, UT. DigiCert
provides digital certification and identity assurance services internationally
to a variety of sectors including business, education, and government.
KPMG
Audit Report and Management's Assertions
KPMG
Audit Report and Management's Assertions
This request is to enable the Code Signing trust bit for a root that is already in NSS.
CRL
http://ocsp.digicert.com
OV, EV
Document Repository
CPS
CPS for EV
https://bugzilla.mozilla.org/show_bug.cgi?id=515425
This request is to enable the Code Signing trust bit for a root that is already in NSS.
CRL
http://ocsp.digicert.com
OV, EV
Document Repository
CPS
CPS for EV
https://bugzilla.mozilla.org/show_bug.cgi?id=515425
This request is to enable the Code Signing trust bit for a root that is already in NSS.
CRL
http://ocsp.digicert.com
OV, EV (policy OID 2.16.840.1.114412.2.1)
Document Repository
CPS
CPS for EV
https://bugzilla.mozilla.org/show_bug.cgi?id=515425
Comodo CA Ltd is a commercial CA based in the UK and
serving customers worldwide. Comodo has eleven root CA certs
already included in Mozilla, all of which it would like upgraded
for EV use, and one additional EV root requested for
inclusion. There are altogether 124 subordinate CAs signed by
the root CAs listed below. Some of them exist to differentiate
between different Comodo brands or products and some are used to
re-brand products for its partners. In each case Comodo retains
the private key for the subordinate CA within its
infrastructure.
KPMG
Audit Report and Management's Assertions
KPMG
Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV and code signing.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
Comodo Extended Validation (EV) Certification Practice Statement, Version 1.03
December Addendum to the Comodo Certification Practice Statement v.3.0 (28 November 2007)
Essential SSL addendum to the Certification Practice Statement (1 February 2007)
Positive SSL addendum to the Certification Practice Statement (23 June 2006)
LiteSSL addendum to the Certification Practice Statement (3 February 2005)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV and to enable all trust bits if not already
enabled.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
Comodo Extended Validation (EV) Certification Practice Statement, Version 1.03
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV, code signing, and email.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV, email, and code signing.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
Comodo Extended Validation (EV) Certification Practice Statement, Version 1.03
December Addendum to the Comodo Certification Practice Statement v.3.0 (28 November 2007)
Essential SSL addendum to the Certification Practice Statement (1 February 2007)
Positive SSL addendum to the Certification Practice Statement (23 June 2006)
LiteSSL addendum to the Certification Practice Statement (3 February 2005)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV, email, and code signing.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV, SSL, and email.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
Comodo Certification Practice Statement, Version 3.0
November 2007 Addendum to the Comodo Certification Practice Statement v.3.0 (31 October 2007)
August 2007 Intel Pro SSL Addendum to the Comodo Certification Practice Statement v.3.0 (17 August 2007)
March 2007 Unified Communications Addendum to the Comodo Certification Practice Statement v.3.0 (1 March 2007)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV.
Root CA certificate with subordinate CAs issuing SSL
certificates (DV, OV and EV), email certificates, and code
signing certificates.
CRL
http://ocsp.comodoca.com/
DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
Note that this root CA certificate is already included
in the Mozilla list. The present request is to enable this CA
certificate for EV.
Cisco is a leading provider of networking equipment to
consumers and businesses worldwide.
PricewaterhouseCoopers
Audit Report and Management Assertions
This is an off-line root CA that issues CA certificates
to one or more Cisco-controlled subordinate CAs (including the
Cisco Manufacturing Sub-CA). The subordinate CAs in turn issue
end entity certificates, e.g., for use in Cisco network
equipment with embedded web servers and web-based
administrative interfaces.
CRL
IV/OV
Cisco Root CA 2048
Certification Practice Statement, Version 1.1
Cisco Root CA 2048 Certificate Policy, Version 1.0
https://bugzilla.mozilla.org/show_bug.cgi?id=416842
Verizon Business Security Solutions Powered by Cybertrust
operates a commercial certificate authority service for
businesses and governments internationally.
Ernst and Young
Audit Report and Management's Assertions
Ernst and Young
Audit Report and Management's Assertions
The request is to enable EV for this GTE CyberTrust Global Root
certificate, which is already included in NSS. This is presently
Cybertrust's mainstream root, issuing their standard
validation SSL server certificates, user authentication and
secure email certificates, and code signing certificates. This
root has existing subordinate CAs that are operated both
internally and by third-parties. The sub-CAs are required to
follow the CPS and to have regular audits. This CA will be
superseded by the Baltimore CybertTrust Root.
CRL
OV, EV (policy OID 1.3.6.1.4.1.6334.1.100.1)
Cybertrust CA Certificate Policy
Certification Practice Statement
http://bugzilla.mozilla.org/show_bug.cgi?id=430694
During the public discussion it was decided that this root should not be enabled for EV. Therefore, the bug has been closed as won't fix.
The request is to enable EV and add the Code Signing trust bit
for the Baltimore CyberTrust Root certificate, which is already included
in NSS. This root will supersede Cybertrust's current
mainstream root, GTE CyberTrust Global Root. When that
happens, this root will have subordinate CAs that are operated
both internally and by third-parties. The sub-CAs are required
to follow the CPS and to have regular audits.
CRL
OV, EV (policy OID 1.3.6.1.4.1.6334.1.100.1)
Cybertrust CA Certificate Policy
Certification Practice Statement
http://bugzilla.mozilla.org/show_bug.cgi?id=430698
SSC, Skaitmeninio Sertifkavimo Centras, is the Lithuanian Government accredited commercial CA issuing certificates to Government institutions, public services, businesses and citizens.
Information Society Development Committee Under The Government Of The Republic Of Lithuania
Statement of Compliance with ETSI TS 101.456
Lithuanian Government Qualified Certificate Service Provider
Root CA with four internally operated subordinate CAs: Class 1, Class 2, Qualified Class 3, and Qualified Class 3 VS.
CRL
http://ocsp.ssc.lt:2560
DV, OV
PKI Disclosure Statement
Certificate Practices
Certificate Practices Statement
http://bugzilla.mozilla.org/show_bug.cgi?id=379152
This Root CA is a special purpose CA that has no subordinate CAs.
Root B is used for single-root certificates (SSL, Code Signing,
OCSP, time stamping).
CRL
http://ocsp.ssc.lt:2560
DV, OV
PKI Disclosure Statement
Certificate Practices
Certificate Practices Statement
http://bugzilla.mozilla.org/show_bug.cgi?id=379152
Root C serves as a backup CA for Roots A and B. Just in case either
of those two roots become unusable and become revoked. According to
the government project that SSC is involved in, Root C will have to
be tested in a specific project where they must demonstrate availability
of its CRL and OCSP services. The project will accept Root C only if it
is a FireFox built-in object. If Root A does get revoked and Root C gets
put into service, then Root C will have four internally operated subordinate
CAs: Class 1, Class 2, Qualified Class 3, and Qualified Class 3 VS.
CRL
http://ocsp.ssc.lt:2560
DV, OV
PKI Disclosure Statement
Certificate Practices
Certificate Practices Statement
http://bugzilla.mozilla.org/show_bug.cgi?id=379152
Sociedad Cameral de Certificación Digital - Certicámara S.A. is a
commercial CA primarily serving Colombia and Andean Region
Deloitte and Touche
Audit Report and Management's Assertions
This is the orginal root which expires in 2011. Certicámara
requests that this root also be added to the NSS database
because they have a significant number of customers that use it,
and their certificates expire in 2010. End entity certificates
have been issued directly from this root, rather than using an
offline root and issuing certs through a subordinate CA.
CRL
OV
Certificate Hierarchy
Certificate Policy
Declaration of Practices
http://bugzilla.mozilla.org/show_bug.cgi?id=401262
This root will not be approved for inclusion.
ICP Brasil (Infra-Estrutura de Chaves Públicas Brasileira)
is Brazil's National PKI created by the law Medida
Provisória nº 2.200-2 / 2001.
ICP Certificates are used in all secure Brazilian government
sites, other Brazilian sites and by financial institutions.
ICP-Brazil has the only (V0 and V1) chain operated by the ITI.
Auditor Website
Audit Hierarchy
Criteria and Procedures for Audit of ICP-Brasil
Criteria and Procedures for Audit of ICP-Brasil sub-CAs
Audit Committee
Root cert used to secure Brazilian government and financial sites.
This root has 8 subordinate CAs that are externally operated.
CRL
OV
Complete CA Hierarchy
Subordinate CA Hierarchy
Companies operating the subordinate CAs
CP (Portuguese)
CPS of CA-root (Portuguese)
CPS requirements for sub-CA (Portuguese)
ICP-Brasil Documents
https://bugzilla.mozilla.org/show_bug.cgi?id=438825
This is the next version of the Autoridade Certificadora
Raiz Brasileira root, which is used to secure Brazilian
government and financial sites.
CRL
OV
Complete CA Hierarchy
Subordinate CA Hierarchy
Companies operating the subordinate CAs
CP (Portuguese)
CPS of CA-root (Portuguese)
CPS requirements for sub-CA (Portuguese)
ICP-Brasil Documents
https://bugzilla.mozilla.org/show_bug.cgi?id=438825
AC Camerfirma S.A. is a commercial CA issuing certificates for companies
primarily in Spain. Camerfirma is the digital certification authority for
Chambers of Commerce in Spain.
Ernst and Young
Audit Report and Management's Assertions
Ernst and Young
Audit Report and Management's Assertions (Spanish)
Audit Report and Management's Assertions (English)
This CA has four internally-operated subordinate CAs that issue certificates
for Spanish companies and representatives. Chambers of Commerce act as RAs
for end user registration.
CRL
http://ocsp.camerfirma.com
OV, EV (Policy OIDs 1.3.6.1.4.1.17326.10.14.2.1.2 and 1.3.6.1.4.1.17326.10.14.2.2.2)
Certificate Practice Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=406968
This CA has internally-operated subordinate CAs that issue certificates for
general use globally. Other companies act as RAs for end user registration.
CRL
http://ocsp.camerfirma.com
OV, EV (Policy OIDs 1.3.6.1.4.1.17326.10.8.12.1.2 and 1.3.6.1.4.1.17326.10.8.12.2.2)
Certificate Practice Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=406968
Hongkong Post is a government agency and is a recognized CA under
the law of Hong Kong Special Administrative Region (HKSAR) of China,
and has been issuing digital certificates under the e_Cert brand name
to individuals and organizations of HKSAR since January 2000.
Hongkong Post CA operations have been outsourced to E-Mice Solutions.
This is documented in the CPS and the Management Assertions.
The WebTrust audit covers both Hongkong Post and E-Mice CA operations.
PricewaterhouseCoopers
Audit Report and Management Assertions
This root has only one direct subordinate, Hongkong Post e-Cert CA 1,
which is the signer key and is used to issue different types of recognized
e-Certs to individuals and organizations.
CRL
OV
Certificate Practice Statement for e-Certs
https://bugzilla.mozilla.org/show_bug.cgi?id=408949
https://bugzilla.mozilla.org/show_bug.cgi?id=541499
File NSS bug after the CRL issues have all been resolved.
SK (Certification Centre, legal name AS Sertifitseerimiskeskus) is a
commercial CA, covering the Baltic region (Estonia, Lithuania, Latvia).
SK is Estonia's primary certification authority, providing certificates
for authentication and digital signing to Estonian ID Cards. Established in
2001, SK has the backing of Estonian and Nordic financial and telecom sector.
SK’s customers include the Estonian court system and notaries, Central Bank
and commercial banks, and enforcement organisations (e.g. Police).
KPMG Estonia
Audit Report
This root issues three types of internally operated subordinate CAs.
The first type of subordinate CA is used to issue electronic ID cards
which contain certificates for digital signature and for digital
identification.
The second type of subordinate CA is used to issue internal ID cards
of the Republic of Estonia.
The third type of subordinate CA is used to issue device and SSL certificates.
CRL
OV
Certificate Hierarchy Diagram
Certificate Practice statement
EID-SK Certificate Policy
ESTEID-SK Certificate Policy
KLASS3-SK Certificate Policy
https://bugzilla.mozilla.org/show_bug.cgi?id=414520
https://bugzilla.mozilla.org/show_bug.cgi?id=532742
Latvijas Pasts (Latvian Post) is a commercial CA operating primarily in
Latvia, targeting also Estonia and Lithuania. Latvian Post provides
certificate services to banks and postal services to the legal entities
and private individuals of the Republic of Latvia. Their accreditation
certification services include electronic signature certificates that are
issued according with local legislations (Electronic Document Law), smart
cards with two certificates (authentication and qualified signature) used
for authentication and document signing in Latvia, and SSL certificates
and Code Signing certificates for customers in European Union.
KPMG Latvia
Accreditation Certificate by Data State Inspection
This root CA issues an intermediate Policy CA, which issues the
Issuing CAs for Certificate Service Providers (CSPs).
CRL
http://ocsp.e-me.lv/responder.eme
OV
Certificate Status Check Tool
Download links for the root and intermediate CAs
Certificate Policy of the Certification Service Providers
Certificate Practice Statement of the Root CA
Certificate Practice Statement of the Policy CA
Certificate Practice Statment of the Issuing CAs of the Certification Service Providers
Certificate Practice Statement of the Infrastructure Certificates
Time-Stamp Policy
Time Stamp Authority Practice Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=412747
VAS Latvia State Radio And Television Centre (LVRTC) is a joint-stock company.
The Republic of Latvia being represented by the Ministry of Transportation owns all
shares of the company.
LVRTC provides transmission of radio and television signals covering all of Latvia.
LVRTC also provides electronic document law enforcement in Latvia.
KPMG Baltics
Audit Statement
This root CA issues an intermediate Policy CA, which issues the
Issuing CAs for Certificate Service Providers (CSPs).
CRL
http://ocsp.eme.lv/responder.eme
OV
LVRTC Policies and Regulations
Download links for the root and intermediate CAs
Certificate Policy (English)
CPS of Root CA (English)
CPS of Policy CA (English)
CPS of Issuing CA (English)
CPS of Infrastructure Certificates (Latvian)
Certificate Selling Procedure (Latvian)
https://bugzilla.mozilla.org/show_bug.cgi?id=518098
Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that
provides services to Spain as a national CA.
BSI Management Systems B.V
Auditor Statement of ETSI Compliance
This root has no subordinate CAs, and has modulus length of 1024.
FNMT will be transitioning end-entity certs from this root to the new root.
However, Spanish users still need the “FNMT Clase 2 CA” because there are
more than 2,200,000 certificates issued that will be active for several years.
This root issues Qualified Certificates to natural persons according to
Qualified Certificates Certification Policy (1.3.6.1.4.1.5734.3.5),
Spanish Electronic Signature Law (59/2003) rules, and ETSI TS 101 456.
CRL
http://apus.cert.fnmt.es/appsUsuario/ocsp/OcspResponder
OV
Certification Practice Statement (Spanish)
Certification Practice Statement General (Spanish)
Policy and Certification Practices for Electronic Signature (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=435736
This is the new root, which the certificates from the “FNMT Clase 2 CA”
hierarchy will be transitioned to.
CRL
http://apus.cert.fnmt.es/appsUsuario/ocsp/OcspResponder
OV
Certification Practice Statement (Spanish)
Certification Practice Statement General (Spanish)
Policy and Certification Practices for Electronic Signature (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=435736
TURKTRUST Information Security Services Inc. is a public corporation and
is an IT company based in Turkey.
TURKTRUST is an authorized qualified electronic certificate service provider
according to the Turkish Electronic Signature Law. TURKTRUST issues qualified
certificates, time-stamping services, SSL certificates, and object signing certificates.
Turkish Telecommunications Authority
Letter of Official CA Statement
List of accredited CAs
Audit statement on auditor website
This is an offline root with one internally-operated subordinate CA that
issues qualified electronic certificates in accordance with
Turkish Electronic Signature Law.
CRL
http://ocsp.turktrust.com.tr
OV
Certification Practice Statement
Certificate Hierarchy
https://bugzilla.mozilla.org/show_bug.cgi?id=433845
Swiss BIT is also known as the Federal Office of Information Technology and
Telecommunication (FOITT) which operates servers and software applications for the
Confederation (one of the biggest employers in Switzerland) and third parties. The
FOITT also operates a carrier network for the Federal administration and organisations
close to the administration. Various, partly encrypted, virtual private networks (VPN)
are operated on this carrier network. Overall the FOITT serves 1200 locations in
Switzerland and 200 locations worldwide. The FOITT is also responsible for networking
the Swiss cantons and the Principality of Liechtenstein.
KPMG SA Switzerland
Audit Report and Management's Assertions
This root has three internally-operated subordinate CAs, with two currently in
operation. The sub-CAs issue certificates for hardware tokens to be used 1) for
identification, digital signatures, encryption, and authentication of individuals
2) for qualified digital signatures. The hardware tokens are issued to employees
of an administrative unit (federal, cantonal or municipal administration) who
already have their information published in Swiss BIT's Admin-Directory.
CRL
http://ocsp.pki.admin.ch
DV, OV
Admin PKI Repository
Hierarchy Diagram
CP/CPS for AdminPKI - Class A (English Translation)
CP/CPS for AdminPKI - Class A
CP/CPS for AdminPKI-Class B
https://bugzilla.mozilla.org/show_bug.cgi?id=435026
This root does not have subordinate CAs. It issues end-entity certificates directly
for users/organizations and devices/servers for identification, digital signatures,
encryption, code/document signing, webserver authentication (SSL), and application
server authentication. These certificates may be applied for by members of an
administrative unit (federal, cantonal or municipal administration) that have concluded
a framework agreement and SLA with Swiss BIT.
CRL
http://ocsp.pki.admin.ch
DV, OV
Admin PKI Repository
Hierarchy Diagram
AdminPKI CP/CPS Class CD-T01 (English)
Process Description for Provisioning Server certificates (German)
https://bugzilla.mozilla.org/show_bug.cgi?id=435026
Disig is a public Certification Service Provider, located in Slovakia.
Disig is a member of international ASSECO Group, one of the strongest
software houses in the CEE region. Asseco is a leader in selected IT
segments in countries across Central and Eastern Europe.
Scientia
Audit Statement
This root has no subordinate CAs, issuing end-entity certs
for SSL, email, and code signing directly.
CRL
OV
CP Version 4.0 (Slovak)
CPS Version 4.0 (Slovak)
CP Version 3.4 (English)
Disig Certification Authority Website
Security Policy (Slovak)
https://bugzilla.mozilla.org/show_bug.cgi?id=455878
https://bugzilla.mozilla.org/show_bug.cgi?id=539235
Staat der Nederlanden is the Netherlands national government CA. The Dutch
governmental PKI hierarchy consists of 2 roots. This first root, Staat der
Nederlanden Root CA, is already included in NSS. The second root is the
next generation, Staat der Nederlanden Root CA – G2.
KPMG
Audit Report and Management Asserstions
This is the next generation of the Staat der Nederlandend Root CA that
is currently in the Mozilla store. The PKIoverheid issues two internally
operated subordinate CAs, which issue subordinate CAs to CSPs. The CSPs
are commercial and governmental organizations. Each CSP has to prove that
it complies with ETSI TS 101 456 and the Dutch law on electronic signatures.
CSPs must conclude a contract with a representative of a government
organization or commercial company before issuing end-entity certificates.
A request for a certificate is always signed by a specified representative
of a government organization or commercial company.
CRL
OV
Description of PKI Overheid (English)
Certification Practice Statement of the Policy Authority PKI Overheid (Dutch)
CP for CSPs (Dutch)
Certificate Policy Part 3a for employees of governmental organizations or commercial companies (Dutch)
Certificate Policy Part 3b for SSL services of governmental organizations or commercial companies (Dutch)
Certificate Policy Part 3c for personal use of civilians (Dutch)
Schedule of Requirements (Dutch)
https://bugzilla.mozilla.org/show_bug.cgi?id=436056
https://bugzilla.mozilla.org/show_bug.cgi?id=529874
Serasa has 5 CAs under ICP-Brasil and 4 CAs not linked to ICP-Brasil.
This request is in regards to the CAs not linked to ICP-Brasil.
Serasa is a subsidiary of Experian which is a public, global corporation.
Serasa is an economic and financial analysis and information firm with global
coverage. Serasa has presence in all Brazilian state capitals and major cities,
and is the holder of Latin America's largest data bank on individuals, businesses
and corporate concerns.
Deloitte Touche Tohmatsu
Auditor Statement from 2004
Serasa CA I provides and sells digital certificates for general public that
need to sign electronic documents or be authenticated in a website.
CRL
IV/OV
Certificate Policy
Certificate Practices Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=457921
Serasa CA II provides and sells server and code signing certificates for
corporations.
CRL
IV/OV
Certificate Policy
Certificate Practices Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=457921
Serasa CA III provides CA certificates for Serasa and their clients in CA business.
CRL
IV/OV
Certificate Policy
Certificate Practices Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=457921
Serasa CA IV provides and sells digital certificates for general public that
need to sign any kind of electronic documents or be authenticated in a website.
It has also “Smart Card Logon” (OID 1.3.6.1.4.1.311.20.2.2) applied.
CRL
IV/OV
Certificate Policy
Certificate Practices Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=457921
The Population Register Centre operates under the Finland Ministry of Finance
to develop and maintain the national Population Information System, the guardianship
register and the Public Sector Directory Service. The Population Register Centre serves
as the Certification Authority for the State of Finland, and thus develops and maintains
the national certificate services to Finnish Citizens, state workers and organizations.
All certificates issued to natural persons by the Population Register Centre are qualified
certificates, i.e. European-wide certificates based on an EU Directive and Finnish legislation.
Finnish Communications Regulatory Authority (FICORA)
Audit Statement
QC Certificate on FICORA website
Inspecta Finland
Auditor Statement
This root issues internally-operated intermediate CAs.
CRL
IV/OV
Technical Specifications
FINEID Specification S2 - CA-model and certificate contents
Links to Intermediate CAs
Service Provider for Server CPS in Finnish
Smartcard Citizen Certificates CPS in English
Smartcard Qualified Certificates CPS in English
Smartcard Temporary Certificates CPS in Finnish
Software Cert Service Provider for E-mail Use CPS in Finnish
https://bugzilla.mozilla.org/show_bug.cgi?id=463989
D-TRUST GmbH is a wholly owned subsidiary of Bundesdruckerei
(100% Governmental), and is the only German trust center authorised
to perform sovereign tasks. The primary market is the German speaking
area (Austria, Germany, Switzerland) and B2B focused.
TÜV-IT Germany
Audit Certificate
This root will eventually have three internally-operated subordinate
CAs. It currently has one subordinate CA called D-TRUST Service
Class 3 CA 1 2008 which issues website certificates. The other two
subordinate CAs that will be created will be for email and code signing.
CRL
http://ssl.ocsp.d-trust.net
OV
D-TRUST-Root PKI Certification Practice Statement in English
CPS in German
CP in German
https://bugzilla.mozilla.org/show_bug.cgi?id=467891
The Edicom Certification Authority (ACEDICOM) provides companies, communities
and physical persons with secure electronic identification mechanisms that
enable them to engage in activities where the digital signature replaces the
handwritten with identical legal guarantees. To this end, ACEDICOM issues
certificates in accordance with the stipulations of Directive 1999/93/EC of
13th December 1999 and Law 59/2003 of 19th December, on electronic signature,
and so has sufficient recognition to operate in all countries of the European
Union. The Edicom CA is responsible for obtaining the corresponding official
authorisation in those places outside the Union where it operates commercially.
Ernst and Young
Audit Report and Management's Assertsions
This root has three internally-operated subordinate CAs. The ACEDICOM 01
subordinate CA issues Qualified certificates for identification and advanced
electronic signature, for the use of physical persons or legal organisations.
The ACEDICOM 02 subordinate CA issues certificates for purposes other than
Qualified electronic signature. The ACEDICOM Servidores subordinate CA issues
server/client certificates and code signing certificates.
Root CRL
http://ocsp.acedicom.edicomgroup.com/acedicom01
OV
CPS in English
CPS in Spanish
Declaration of Certification Practices and Policies according to Certificate Type
TLS Certificate Policy (in Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=471045
NetLock Ltd. is a qualified Certificate Authority in Hungary that issues certificates to organizations and individuals.
National Communications Authority, Hungary
Statement of audit conformance in English
Statement of the NCA that Netlock is a Qualified Service Provider
CERT-Hungary
Cover letter of the rDSP audit in Hungarian
English Translation of part of the rDSP Audit Report
NetLock currently has four separate root CAs included in NSS. The redesigned
equivalent of these existing roots will be created under this new root.
The new root will sign seven internally-operated subordinate CAs. Two of those
subordinate CAs will sign sub-CAs that will be externally-operated by
MKB (Hungarian Trade Bank) and MNB (National Bank of Hungary).
CRL for Class B
http://ocsp1.netlock.hu/gold.cgi
OV
CA Hierarchy
Practice Statements and Terms of Agreements in Hungarian
CPS in English
Verification Practice for Non-Qualified certificates
Non-qualified certificate CRL and OCSP profile definitions
Certificate Issuance Practice Statement
https://bugzilla.mozilla.org/show_bug.cgi?id=480966
https://bugzilla.mozilla.org/show_bug.cgi?id=532201
CATCert is the Catalan Agency of Certification (Agència Catalana de Certificació).
CATCert’s aim is to provide digital certification services and promote the usage
of digital signature in order to make safer the communications within the Catalan
government and the communications (within and for) the Catalan government.
Ernst and Young
Audit Report and Management Assertions
This root has seven internally-operated subordinate CAs. The subordinate CAs
are used to distinguish who the certificates are issued to. The EC-IDCAT
certificates are issued to Catalan citizens. The EC-SAFP (a sub-CA of EG-GENCAT),
EC-AL, and EC-PARLAMENT certificates are not issued to the general public, but
only to the civil servants and computers or devices of the Regional Catalan
government, the Catalan Government, and the Catalan Parliament. The EC-UR and
EC-URV certificates are not issued to the general public, but to employees,
students and computers or devices of Catalan universities and research centers
connected to the “Anella Científica” group, and the Universitat Rovira i
Virgili (URV).
CRL
http://ocsp.catcert.net
OV
CA Hierarchy Diagram
English version of CPS
CPS in Catalan
CP in Catalan
The CPS/CP for each sub-CA in Catalan
Operative Procedure in Catalan
https://bugzilla.mozilla.org/show_bug.cgi?id=295474
E-Guven is a private corporation that serves certificates mainly the
Turkish market and they plan to expand their market to other countries.
E-Guven certificates are used in Public projects, such as www.turkiye.gov.tr,
and Mobile Signature as well.
E-Guven also develops B2B secure transaction projects.
Republic of Turkey Telecommunicatins Authority
Audit Statement
This root certificate signs SSL certificates directly.
Additionally, this root has the following three intermediate CAs:
E-Guven Mobile CA issues mobile certificates for end users;
E-Guven NES CA issues qualified electronic certificates for Turkish citizens;
and E-Guven Secure Client Certificates issues Class 3 certificates.
All of the intermediate CAs chaining up to this root are operated internally
by e-Guven.
CRL
http://ocsp2.e-guven.com/ocsp.xuda
OV
CA Hierarchy
Qualified Electronic CP (GKNESI) in Turkish
Mobility Qualified Electronic CP (MKNESI) in Turkish
Qualified Electronic Cert Application Basics (NESUE) in Turkish
SSL Cert Application Basics (SUE) in Turkish
https://bugzilla.mozilla.org/show_bug.cgi?id=476428
In Japan there are two root CAs, one is GPKI which acts as a root for national
government agencies, and the other one is LGPKI (Local Government PKI) which
serves the same function for regional and local governments. LGPKI is controlled
by the Local Government Wide Area Network (LGWAN) Operation Committee.
Deloitte Touche Tohmatsu
Audit Report and Management’s Assertions
CRL
OV
CP/CPS in Japanese
English translation of part of the LGPKI CP/CPS
English translation of part of the LGPKI Registration Authority Branch Operation Handbook
https://bugzilla.mozilla.org/show_bug.cgi?id=477314
První certifikační autorita, a.s. (First certification authority - I.CA), is the
largest provider in the field of issuing and administrating the certificates in
the Czech republic. It renders its services in the Slovak republic as well. There
have been already more than million of issued certificates registered till today.
Jozef Vyskoc,P hD., Certified Information Systems Auditor (CISA) no. 9616941
Audit Statement
CRL
OV
CP in Czech
https://bugzilla.mozilla.org/show_bug.cgi?id=484171
CRL
OV
CP in Czech
https://bugzilla.mozilla.org/show_bug.cgi?id=484171
SUSCERTE stands for Superintendencia de Servicios de Certificación Electrónica,
which is part of the Ministry of People's Power for Telecommunications and
Informatics in the Bolivarian Republic of Venezuela. SUSCERTE is a national
government CA that provides electronic certification services to the Bolivarian
Republic of the Government of Venezuela.
Mariclen Villegas
Audit Statement in Spanish
This root CA is the Root Certification Authority of Venezuela’s National
Infrastructure of Electronic Certification. The main function of this root
is to issue the intermediate CAs to the Certification Service Suppliers (CSS)
of the public and private sector, according to the Law on Data Messages and
Electronic Signature (LSMDFE). Once a CSS has been accredited by SUSCERTE according
to the LSMDFE, the CSS must issue the certificates in accordance with the purpose of
the electronic certificates specified in their own Declaration of Practices of
Certification and Policy of Certificates.
CRL
http://ocsp.suscerte.gob.ve
OV
Declaration of Practices of Certification (DPC) of root in Spanish
DPC of root in English
Model of DPC for Certification Service Suppliers (CSS) in Spanish
Guide for Accreditation of CSS in Spanish
Guide Technology Standards and Guidelines for Accreditation of CSS in Spanish
National Infrastructure of Electronic Certificate: Structure, Certificate, and CRL in Spanish
https://bugzilla.mozilla.org/show_bug.cgi?id=489240
SUSCERTE has decided to have each of its sub-CAs apply separately for inclusion in NSS as separate trust anchors.
Japan Certification Services, Inc. (JCSI) is a commercial CA whose primary
market is Japan. Some of the relying parties are outside Japan, such as US,
Canada, European countries, and Asia.
Ernst and Young ShinNihon LLC
Audit Report and Management’s Assertions
This root has one internally-operated subordinate CA for issuing SSL
certificates to the public. In the future, JCSI plans to add other
internally-operated subordinate CAs for S/MIME, Time Stamping, and other
certificate types.
CRL
OV
Repository
CP/CPS in English
https://bugzilla.mozilla.org/show_bug.cgi?id=496863
https://bugzilla.mozilla.org/show_bug.cgi?id=542798
Keynectis is a French commercial CA that issues certificates to the general
public. Keynectis was created by merging two previous French certification
operators, Certplus and PK7.
LSTI - La Sécurité des Technologies de l'Information
ETSI Certificate
KPMG
Audit Report and Management's Assertion
This root is already included in NSS. The current request is to EV-enable the root.
A new, internally-operated subordinate CA has been created for issuing EV SSL
certificates.
CRL
http://kvalid.keynectis.com/evssl-ocsp/
OV, EV (Policy OID 1.3.6.1.4.1.22234.2.5.2.3.1)
Declaration des Pratiques de Certification (CPS in French)
CPS for EV SSL CA (English)
Root CA CP (English)
SSL CP (English)
SSL CPS (English)
Keynectis Information (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=335392
https://bugzilla.mozilla.org/show_bug.cgi?id=379032
GlobalSign is a commercial CA based in Portsmouth NH and
serving customers worldwide.
Ernst & Young
Audit Report and Management’s Assertions
Ernst & Young
Audit Report and Management’s Assertions
This is the SHA256 version of the GlobalSign root (SHA1) that is already included
in NSS. This root is primarily suitable for Server and Client Authentication,
Secure e-mail, Code Signing and Timestamping. However the root itself is marked
for all issuance policies and therefore can also be used for OCSP, Encrypting File
System, IP Sec (Tunnel, User) and CA Encryption Certificate purposes.
The root has been created (A ceremony to WebTrust audited standards witnessed by
Ernst and Young). However, this root is not yet active, so no CRL or OCSP service
has yet been provided for it. GlobalSign will be supporting a new certificate
hierarchy in 2010 based on this SHA256 root.
CRL
DV, OV, EV (policy OID 1.3.6.1.4.1.4146.1.1)
Repository of All Legal Documents
GlobalSign Certification Practice Statement v6.5
GlobalSign CA Certificate Policy v3.4
https://bugzilla.mozilla.org/show_bug.cgi?id=507360
Microsec Ltd. is a Hungarian certificate authority.
Hungarian Government National Communications Authority
Authority statement
This is a new, SHA256, version of the Microsec SHA1 root that is already
included in NSS. The new root has a new DN and a new key. Microsec plans to operate
the two roots simultaneously for some years, and the old one shall be phased out
afterwards. Under the new root, Microsec issues certificates with an OCSP service
usable for the general public.
CRL for this root
List of CRLs
http://a3ocsp2009.e-szigno.hu
OV
Certificate
Hierarchy in English
CPS in Hungarian, v2.0
CPS in English, v1.6
Microsec CP and CPS documents
https://bugzilla.mozilla.org/show_bug.cgi?id=510506
National Informatics Centre (NIC), is part of the Department of
Information Technology of the Government of India.
CyberQ Consulting Pvt. Ltd.
Auditor Statement
NIC CA issues three classes of Digital Signatures to subscribers, based on the
level of verification that is performed in regards to the identity of the
certificate subscriber. The NIC CA directly signs Class 1, Class 2 and Class3
end-entity certificates which can be used for SSL, email, and document signing.
The NIC CA also signs the E-passport Sub-CA which signs Class 1, Class 2 and
Class3 end-entity certificates which can be used for SSL, email, and document signing.
These Digital Signatures are issued based on verification procedures as stated in the
Information Technology (IT) Act 2000, an Act which was passed by the Indian Parliament
in June 2000.
CRL
DV, OV
CA Hierarchy
Certificate Practice Statement of NIC CA (English)
Overview of Information Technology Act 2000 (English)
Details of Information Technology Act 2000 (English)
Digital Signature Certificate Request Form (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=511380
Taiwan CA. Inc. (TWCA) is a commercial CA that provides a consolidated on-line
financial security certificate service and a sound financial security environment,
to ensure the security of on-line finance and electronic commercial trade in Taiwan.
SunRise CPAs’ Firm, a member firm of DFK
Audit Report and Management's Assertsions
CRL
DV, OV
TWCA PKI Certificate Policy (Traditional Chinese)
TWCA PKI Certificate Policy (English)
TWCA Root CA Certification Practice Statement (Traditional Chinese)
TWCA Root CA Certification Practice Statement (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=518503
Actalis is a public CA offering PKI services to a wide number of customers,
mainly banks and local government.
Actalis is a Qualified certification service provider according to the
EU Signature Directive (Directive 1999/93/EC).
Actalis designs, develops, delivers and manages services and solutions
for on-line security, digital signatures and document certification;
develops and offers PKI-enabling components, supplies complete digital
signature and strong authentication kits (including hardware and software),
delivers ICT security consultancy and training.
Centro Nazionale per L’Informatica nella Pubblica Amministrazione (CNIPA)
Audit Report
Accredited National Certification Service Provider
Accredited Certifier on CNIPA website
CRL
http://ocsp.actalis.it
OV
CPS for SSL and Code Signing Certs (Italian)
CPS for SSL and Code Signing Certs (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=520557
Firmaprofesional is a commercial CA in Spain that issues certificates to professional
corporations, companies and other institutions. Their main activity is the generation,
transmission and distribution of digital certificates through professional corporations,
companies or other institutions, which act as Registration Authorities and Certification
Authorities in the hierarchy of certification Firmaprofesional. Firmaprofesional has a
network of more than 70 Registration Authorities located throughout Spain.
Ernst & Young
Audit Report and Management’s Assertions
This is a renewal for the Firmaprofesional root certificate that is currently in NSS.
Sub-CAs of the new root cross-sign end-entity certs with sub-CAs of the old root,
in order to maintain business continuity.
This root CA signs subordinate CAs that sign end-entity certificates.
One sub-CA is used by Firmaprofesional, and other sub-CAs are issued for organizations
including professional corporations, companies or other institutions, which act as
Registration Authorities and Certification Authorities in the hierarchy of certification Firmaprofesional.
CRL
http://servicios.firmaprofesional.com/ocsp
OV
Certification Policies and Practices (Spanish)
CPS (Spanish)
SSL CP (Spanish)
Code Signing CP (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=521439
The United States Federal Public Key Infrastructure (FPKI) Policy Authority
is an interagency body set up under the CIO Council to enforce digital certificate
standards for trusted identity authentication across the federal agencies and between
federal agencies and outside bodies, such as universities, state and local governments
and commercial entities.
U. S. General Services Administration
Audit Information
Letter of Authorization to Operate
This is the root certificate for the U.S. Federal Common Policy Framework Certificate
Authority (FCPF CA). The Common Policy CA is online and issues CRLs with an 18 hour validity
period every 12 hours. It does not sign end-entity certificates directly. It signs subordinate
CAs for Shared Service Providers (SSP). The sub-CAs are operated by the SSPs. End-entity
certificates may be issued to Federal employees, contractors, affiliated personnel, and devices
operated by or on behalf of Federal agencies. The list of certified SSPs is provided on the
FPKI website.
CRL
OV
FCPF CP
FPKIA CPS
List of Certified PKI Shared Service Providers
Shared Service Provider Roadmap
CPS Evaluation Matrix For Evaluation Against the Requirements for the Common Policy Framework
https://bugzilla.mozilla.org/show_bug.cgi?id=478418
DNIe, is the electronic Spanish National Identity Card. It is the electronic version
of the Spanish National Identity Document (DNI) issued by the Dirección General
de la Policía (the National Police Force in Spain). The DNI is required for every citizen
over 14 years of age. Most of the Spanish citizens use the DNIe to identify themselves
and interact against both, government and private online services.
TBD
TBD
This root has three subordinates CA. The validation activity has been segregated
in order to improve privacy. The number of subordinates CA will be increased if necessary.
CRL
http://ocsp.dnie.es
OV
Certificate Policy (Spanish)
List of e-services accepting DNIe certificates
https://bugzilla.mozilla.org/show_bug.cgi?id=526181
SECOM Trust Services Co., Ltd are a commercial CA based in Japan.
KPMG
Audit Report and Management’s Assertions
CRL
OV
Documents relating to this root
CPS (Japanese)
CP (Japanese)
https://bugzilla.mozilla.org/show_bug.cgi?id=527419
ipsCA, primarily located in Spain, is a worldwide CA which has issued with more
than 12,000 SSL certificates to Universities and educational entities (mainly in USA).
KPMG
Audit Report and Management’s Assertions
This root certificate is intended to replace the “IPS SERVIDORES” root that is currently included in NSS.
CRL
http://ocspmain01.ipsca.com/
OV
CPS (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=529286
CRL
http://ocspglobal01.ipsca.com/
OV
CPS (Spanish)
https://bugzilla.mozilla.org/show_bug.cgi?id=529286
Go Daddy operates a commercial CA based in the US and serving customers worldwide.
KPMG
Independent Accountants' Report
This new root will eventually replace the “Go Daddy Class 2 CA” root cert that is
currently included in NSS. The “Go Daddy Class 2 CA” root has a single internally-operated
subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.
CRL
http://ocsp.godaddy.com/
DV, OV, EV (policy OID 2.16.840.1.114413.1.7.23.3)
Repository of certs and policies
CP and CPS
Relying Party Agreement
Subscriber Agreement
Premium EV Subscriber Agreement
Code Signing Subscriber Agreement
https://bugzilla.mozilla.org/show_bug.cgi?id=527056
Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.
This new root will eventually replace the “Starfield Class 2 CA” root cert that
is currently included in NSS. The “Starfield Class 2 CA” root has a single subordinate
CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.
CRL
http://ocsp.starfieldtech.com
DV, OV, EV (policy OID 2.16.840.1.114413.1.7.23.3)
Repository of certs and policies
CP and CPS
Relying Party Agreement
Subscriber Agreement
Premium EV Subscriber Agreement
Code Signing Subscriber Agreement
https://bugzilla.mozilla.org/show_bug.cgi?id=527056
Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.
This new self-signed root CA does not yet have subordinate CAs. Before issuing from this root,
at least one appropriate, internally-operated subordinate issuing CA will be created.
CRL
http://ocsp.starfieldtech.com
DV, OV
Repository of certs and policies
CP and CPS
Relying Party Agreement
Subscriber Agreement
Premium EV Subscriber Agreement
Code Signing Subscriber Agreement
https://bugzilla.mozilla.org/show_bug.cgi?id=527056
Not currently requesting email trust bit because current documentation does not include requirements to verify email address ownership/control.
Scientific Trust is a division of the University of Hagen and has its own Root Certificate.
Scientific Trust offers Intermediate Certificates to other universities and companies.
The primary market is the German speaking area (Austria, Germany, Switzerland).
KPMG
Audit Report and Management’s Assertions
This root has one internally-operated subordinate CA issuing client and server certificates.
In the future there will be externally-operated subordinate CAs, issuing client and server certificates.
CRL
OV
CPS Scientific Trust URL (English)
Certificate Policy URL (English)
CPS FernUniversitaet in Hagen URL (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=531237
Broader Certification Center (CERTUM) is an organizational unit of Unizeto Technologies SA,
providing certification services related to electronic signatures. It is the oldest public
certification authority in Poland and the commercial certification authority, operating on
a global scale - serving customers in over 50 countries worldwide.
Ernst & Young
Audit Report and Management’s Assertions
Ernst & Young
Audit Report and Management’s Assertions
This root currently has two internally-operated sub-CAs; the Certum Class 1 sub-CA signs
3 month test certs, and the Certum Extended Validation CA signs EV SSL certs.
Eventually, the certificates under the old “Certum CA” root (included in NSS) will be
moved to this new root. The sub-CAs of the “Certum CA” root are Certum Level I CA,
Certum Level II CA, Certum Level III CA, Certum Level IV CA, and Certum Partners CA.
CRL
http://ocsp.certum.pl
DV, OV, EV (policy OID 1.2.616.1.113527.2.5.1.1)
Certum Cert and Document Repository
CPS of CERTUM’s Non-Qualified Certification Services (English)
CP of CERTUM’s Non-Qualified Certification Services (English)
EV CP (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=532377
TeliaSonera provides telecommunication services in the Nordic and Baltic countries,
the emerging markets of Eurasia, including Russia and Turkey, and in Spain. CA operations
currently only in Nordic countries.
Ernst and Young
Audit Report and Management’s Assertions
This root has five internally-operated subordinate CA's: Class1 CA v1 (smart card or usb
token based client certificates), Class2 CA v2 (software client certificates for VPN services, S
SL, Signatures, Authentication, and E-mail encryption),TeliaSonera Server CA v1,
TeliaSonera Email CA v3, and TeliaSonera VPN CA v1.
CRL
DV, OV
Document and CA repository
TeliaSonera Root CA v1 Practice Statement (English)
TeliaSonera Class2 CA v1/TeliaSonera E-mail v3 Practice Statement (English)
https://bugzilla.mozilla.org/show_bug.cgi?id=539924