Open Bug 1431811 Opened 3 years ago Updated 2 hours ago

Notarius: Root Inclusion Request


(NSS :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: licences, Assigned: bwilson)


(Whiteboard: [ca-verifying] - KW Comment #5 2018-05-10 - Email trust bit only)


(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

I want my Root CA to be included in Mozilla trusted store.

Actual results:

We are currently listed in CCADB by the Microsoft Root Certificate program.  We want to be also recognized by Mozilla.  We are issuing personals certificates for document signature.  We don't issue ssl certificate.  We are Webtrust Certified since 3 years, and recognize by Microsoft Root certificate program since 3 years.

Company/Owner : Notarius
CA : Notarius Root Certificate Authority
CA Owner/Certificate No: A002405
Webtrust Seal :

Expected results:

We want to have our root certificate to be recognized by Mozilla, this will help us, and our clients, to get their certificate and theirs signed documents to be valid under more browser and OS.
Our Process is described here:

Information that the CA needs to provide is listed here:
Ever confirmed: true
Summary: Root Inclusion → Notarius: Root Inclusion Request
Whiteboard: [ca-verifying] - Email trust bit only
Hi Kathleen,

Thank you for your return.  I have followed all indications you submit and I have completed the application process.  You will find in attachment 2 [details] [diff] [review] PDF files in which you will find all requests application questions and a test documents including example certificate.

I will always be available to answer additional questions.

Thank you,
Alexandre Provost, CISSP.
The attached document lists the information that has been verified.
Search for "need" in the document to find the additional information/clarification that the CA needs to provide in this bug.

In particular, note:

1) I did not find description in the CP of how the CA/LRA verifies that the email address to be included in the certificate is owned/controlled by the certificate subscriber. This needs to be in the CP.

2) It is not clear to me if/when LRA's are audited. Or how it is regularly checked that the LRA is only issuing certs that it should be issuing, and following the CP. This information should be in the CP.

Also, please note that it is time for a new audit statement.
Audit Statement Date: 4/10/2017
Make sure that your future audit statements satisfy section 3.1.4 of Mozilla's Root Store Policy...
In particular: "3. Distinguished Name and SHA256 fingerprint of each root and intermediate certificate that was in scope;"
Whiteboard: [ca-verifying] - Email trust bit only → [ca-verifying] - KW Comment #5 2018-05-10 - Email trust bit only

Is Notarius still interested in pursuing its root store inclusion request?
If so, it needs to update the information in the CCADB.
The public version of CCADB case no. 256 for this request is:

QA Contact: kwilson

Hi Ben,
We are still interested in the inclusion. I will adjust the CP/CPS about the email validation, and will update the other information.

Assignee: kwilson → bwilson

The CP and CPS has been updated to include the missing requirement.

I hope all information is now in conformity to Mozilla requirements.

You need to log in before you can comment on or make changes to this bug.