Closed Bug 1933132 Opened 3 months ago Closed 18 days ago

SECOM: New Subordinate CA Request(Cybertrust Japan SureMail CA G5)

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cainfo, Assigned: bwilson)

References

Details

(Whiteboard: [ca-approved])

Attachments

(7 files)

04_Cybertrust_Japan_SureMail_CA_G5_Sub-CA-Profile.xlsx
24.93 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
06_Audit_Report_01.zip
5.25 MB, application/x-zip-compressed
Details
06_Audit_Report_02.zip
8.49 MB, application/x-zip-compressed
Details
07_CCADB Self Assessment Framework (v1.4)_CTJ_20240904.xlsx
211.21 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
CTJ_SMIME-Self-Assessment-Findings_20241212.xlsx
18.04 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
1.CT_RT_CTJ_WTCA_KGC_Report-Assertion(E)_2024_20250122.pdf
470.94 KB, application/pdf
Details
1.CT_RT_CTJ_WTCA_KGC_Report-Assertion(J)_2024_20250122.pdf
526.76 KB, application/pdf
Details
No description provided.
Attached file 06_Audit_Report_01.zip
Attached file 06_Audit_Report_02.zip

Externally Operated Subordinate CAs

We apply under the application procedure for "Externally Operated Subordinate CAs".
https://wiki.mozilla.org/CA/External_Sub_CAs

1. Full Legal Name

Cybertrust Japan Co., Ltd.

2. Website URL

https://www.cybertrust.co.jp/

3. Expected CA hierarchy under the subordinate CA

4. Certificate profile for the subordinate CA certificate

https://bugzilla.mozilla.org/attachment.cgi?id=9439631

5. CP, CPS, or CP/CPS for the operation of the subordinate CA

Repository
https://www.cybertrust.ne.jp/ssl/repository/
CP (TLS OV)
https://www.cybertrust.ne.jp/ssl/repository/OVCP_English.pdf
CP (TLS EV)
https://www.cybertrust.ne.jp/ssl/repository/EVCP_English.pdf
CP (S/MIME)
https://www.cybertrust.ne.jp/ssl/repository/SMCP_English.pdf
CPS
https://www.cybertrust.ne.jp/ssl/repository/CTJCPS_English.pdf

6. Audit statements, auditor information and qualifications

https://bugzilla.mozilla.org/attachment.cgi?id=9439632
https://bugzilla.mozilla.org/attachment.cgi?id=9439633

7. The subordinate CA’s Compliance Self-Assessment

https://bugzilla.mozilla.org/attachment.cgi?id=9439634

8. The results of the root CA operator’s detailed policy and audit review for the subordinate CA

  • We have reviewed and confirmed the policy documentation and audit records of CyberTrust.

9. Explanation about why this subordinate CA is needed, e.g. Value Justification. For example, the primary reason in the explanation can be that:

In accordance with Mozilla’s policy on Externally-Operated Subordinate CAs, SECOM Trust Systems (hereinafter referred to as “SECOM”) is requesting a review and approval process for Cybertrust Japan (hereinafter referred to as “Cybertrust”). SECOM will issue a new Subordinate CA certificate to Cybertrust. The Subordinate CA certificate is planned to be issued from "Security Communication RootCA2," owned by SECOM, and its profile will be S/MIME Strict Generation.

Cybertrust is a company listed on the Tokyo Stock Exchange (Corporate Website: https://www.cybertrust.co.jp/ ). With extensive experience in CA operations, Cybertrust has contributed to enhancing the safety and reliability of internet and email security primarily in Japan for over 20 years. During this time, Cybertrust has been providing authentication and security services as a commercial CA by issuing public certificates within the nation.

Since 2019, Cybertrust has been providing TLS and S/MIME (Legacy Generation) certificates as an Externally-Operated Subordinate CA of SECOM. SECOM intends to continue its close collaboration with Cybertrust and maintain the Externally-Operated Subordinate CA going forward.

As mentioned earlier, Cybertrust is currently operating the S/MIME Legacy Generation Subordinate CA. However, to transition to the Strict Generation, a new Subordinate CA certificate needs to be issued.

Lastly, SECOM has previously reported two Mozilla incidents related to Cybertrust. In both cases, SECOM and Cybertrust worked together promptly to investigate and address the issues, taking swift action, and successfully closing all incidents.

SECOM will continue its close collaboration with Cybertrust, ensuring on going compliance at all times.

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1933127
Resolution: --- → DUPLICATE
Status: RESOLVED → REOPENED
No longer duplicate of bug: 1933127
Ever confirmed: true
Resolution: DUPLICATE → ---
Duplicate of this bug: 1933127
Assignee: nobody → bwilson
Status: REOPENED → ASSIGNED
Type: enhancement → task
Whiteboard: [ca-initial]

My understanding is that this request fits under the following language of the MRSP section 8.4 - that even though Cybertrust Japan is a CA operator already in Mozilla's root store (for TLS certificates) "the subordinate CA operator is not approved by Mozilla to issue the type of certificates [email], which they will be able to issue under the new CA certificate." Am I right?

As Ben-san recognizes, you are correct.
Cybertrust's TLS Root CAs have been approved by Mozilla.
Add Cybertrust Japan SecureSign Roots (CA12, CA14 and CA15)
https://bugzilla.mozilla.org/show_bug.cgi?id=1658793
However, the S/MIME Root CA (CA16) has not yet been approved by Mozilla.

Best Regards,

ONO, Fumiaki
SECOM Trust Systems Co., Ltd.

Whiteboard: [ca-initial] → [ca-ready-for-discussion] 2024-12-06

Here is SECOM's statement of findings:

Findings Supporting SECOM's Decision to Approve Cybertrust Japan (CTJ) as an Externally Operated Subordinate CA for S/MIME Certificates

A. Detailed Review of Policy and Practices
SECOM conducted a comprehensive review of CTJ's Certificate Policy (CP) and Certification Practice Statement (CPS), as well as their audit documentation, to verify full conformity with the S/MIME Baseline Requirements. The review confirmed that CTJ’s policies adhere to all required standards, ensuring secure and reliable operations for S/MIME certificate issuance. Notable areas of alignment between the S/MIME BRs and CTJ’s CP are as CTJ’s Self-Assessment.

B. Technical and Organizational Readiness
Not only did CTJ’s CP and CPS thoroughly address all aspects of certificate lifecycle management, including key generation and management, revocation processes, and subscriber identity verification, but also SECOM reviewed with CTJ its technical infrastructure and organizational processes, and CTJ demonstrated robust technical capabilities and well-defined operational practices that align with the S/MIME Baseline Requirements. Specifically, we noted the following based on our review:

  1. CTJ maintains a compliance structure by having a team that monitors and responds to industry trends such as each browser vendor's policies, CABF requirements, and Bugzilla. When necessary, they make decisions through the Policy Authority (PA) process.
  2. The development team is allocated resources to maintain the system and can prioritize and respond quickly to necessary system changes.
  3. The procedures for certificate issuance validation, other CA system rules, recruitment and training processes, that comply with external requirements are documented.

Cybertrust has been providing TLS and S/MIME (legacy generation) certificates as an externally operated subordinate CA for SECOM since 2019, and has previously demonstrated robust technical capabilities and well-defined operational practices that comply with applicable requirements. Additionally, SECOM have reviewed and approved a draft version of a new CTJ’s policy that adds subordinate CA certificates for S/MIME strict generation.

Thank you for your arrangements.

We have already registered the subordinate CA certificate with CCADB.

Cybertrust Japan SureMail CA G5
SHA-256 Fingerprint
995C3C64F32348142BF1EBEAF7370781A1C30682DE02AD85FB2700CE1395F737

Also, Cybertrust Japan has not yet received the Key Generation Report from the auditing firm, so we will upload it to Bugzilla once we receive it.
It will be done next week.

Best Regards,

ONO Fumiaki / 大野 文彰
SECOM Trust Systems Co., Ltd.

We have uploaded the Key Generation Report.

Best Regards,

ONO Fumiaki / 大野 文彰
SECOM Trust Systems Co., Ltd.

Whiteboard: [ca-ready-for-discussion] 2024-12-06 → [ca-approved]
Status: ASSIGNED → RESOLVED
Closed: 3 months ago18 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: