1912385 - Turn off Secure Email Trust Bit for ACCVRAIZ1 root cert

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Jose Amador]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Steps to reproduce:

Description:
A CCADB report presented a set of ACCV CAs with missing S/MIME BR audit because they have that bit active in the stores.
ACCV would like to disable the Trust Bit “Secure Email” for the following root CA:
ACCVRAIZ1
SHA256 Fingerprint: 9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113

Actual results:

The reason for this change:
ACCVRAIZ1 was created on 5 May 2011 (will expire in 2030) with all issuance policies. According to Mozilla roots life-cycle proposal, for this root, the Websites Trust Bit will be removed on 15 April 2028.
ACCV already prepared the end-of-life cycle of this root and its intermediate CAs – expiring in 2027 and has generated a new hierarchy of single-purpose roots and is in the process of starting the recognition and inclusion mechanism in browsers and OS.
ACCV is not using this bit, and have no intention to use it, so ACCV is asking for the removal of this bit (Secure Email) in ACCVRAIZ1 from all ROOT Store Programs (Apple, Microsoft, Mozilla and Chrome).

Expected results:

Disabling the Secure Email bit in the different stores.
There is no impact on users.
There is no urgency on this change, except of the Intermediate Certificates with Failed ALV fix.

Comment 1

[Ben Wilson]

This change has now been made in Nightly 131.0a1 (2024-08-28).