Closed Bug 1941966 Opened 1 year ago Closed 2 days ago

SECOM: New Subordinate CA Request (JPRS)

Categories

(CA Program :: CA Certificate Root Program, task, P1)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cainfo, Assigned: bwilson)

Details

(Whiteboard: [ca-approved])

Attachments

(3 files)

04_JPRS_Sub-CA-Certificate-Profile.xlsx
38.96 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
06_Audit_Report.zip
5.24 MB, application/x-zip-compressed
Details
07_JPRS_CCADB Self Assessment Framework (v1.4.2).xlsx
200.15 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
No description provided.

Externally Operated Subordinate CAs

We apply under the application procedure for "Externally Operated Subordinate CAs".
https://wiki.mozilla.org/CA/External_Sub_CAs

1. Full Legal Name

Japan Registry Services Co., Ltd.

2. Website URL

https://jprs.jp/

3. Expected CA hierarchy under the subordinate CA

Root CA
Security Communication RootCA2
https://crt.sh/?caid=1160

Current Subordinate CAs
JPRS Domain Validation Authority - G4
https://crt.sh/?caid=178851
JPRS Organization Validation Authority - G4
https://crt.sh/?caid=178842

New Root CA (ECC)
Security Communication ECC RootCA1
https://crt.sh/?caid=43338

New subordinate CAs (ECC)
JPRS DV ECC CA 2024 G1
https://crt.sh/?caid=297944
JPRS OV ECC CA 2024 G1
https://crt.sh/?caid=297945

New Root CA (RSA)
SECOM TLS RSA Root CA 2024
https://crt.sh/?caid=363595

New subordinate CAs (RSA)
JPRS DV RSA CA 2024 G1
https://crt.sh/?caid=364821
JPRS OV RSA CA 2024 G1
https://crt.sh/?caid=364822

4. Certificate profile for the subordinate CA certificate

04_JPRS_Sub-CA-Certificate-Profile.xlsx
https://bugzilla.mozilla.org/attachment.cgi?id=9459795

5. CP, CPS, or CP/CPS for the operation of the subordinate CA

Repository
https://jprs.jp/pubcert/info/repository/
CP
https://jprs.jp/pubcert/info/repository/JPRS-CP-en.pdf
CPS
https://jprs.jp/pubcert/info/repository/JPRS-CPS-en.pdf

6. Audit statements, auditor information and qualifications

06_Audit_Report.zip
https://bugzilla.mozilla.org/attachment.cgi?id=9459796

7. The subordinate CA’s Compliance Self-Assessment

07_JPRS_CCADB Self Assessment Framework (v1.4.2).xlsx
https://bugzilla.mozilla.org/attachment.cgi?id=9459798

8. The results of the root CA operator’s detailed policy and audit review for the subordinate CA

We have reviewed and confirmed the policy documentation and audit records of JPRS.

9. Explanation about why this subordinate CA is needed, e.g. Value Justification. For example, the primary reason in the explanation can be that:

JPRS is the ".jp" domain registry and supports the internet infrastructure in Japan.
JPRS has provided TLS certificate services for domestic market for over 8 years, contributing to the safety and reliability of the internet in Japan.
Additionally, it is a member of the CA/Browser Forum and participates in the Forum's ballots activities.

Since 2019, JPRS has been providing TLS certificates as an Externally-Operated Subordinate CA under SECOM Trust Systems (hereinafter referred to as “SECOM”).

SECOM is advancing the transition to a new root CA in accordance with Mozilla's Root CA Lifecycles.
To continue providing services with the new subordinate CA, JPRS will apply for the Externally Operated Subordinate CA this time.

SECOM plans to continue working closely with JPRS to maintain the Externally Operated Subordinate CA on going forward.

Best Regards,
ONO Fumiaki / 大野 文彰
SECOM Trust Systems Co., Ltd.

Assignee: nobody → bwilson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-initial]
Type: enhancement → task
Priority: -- → P1
Whiteboard: [ca-initial] → [ca-verifying]
Whiteboard: [ca-verifying] → [ca-cps-review]

9. Explanation about why this subordinate CA is needed, e.g. Value Justification. For example, the primary reason in the explanation can be that:

JPRS is the ".jp" domain registry and supports the internet infrastructure in Japan.
JPRS has provided TLS certificate services for domestic market for over 8 years, contributing to the safety and reliability of the internet in Japan.
Additionally, it is a member of the CA/Browser Forum and participates in the Forum's ballots activities.

Since 2019, JPRS has been providing TLS certificates as an Externally-Operated Subordinate CA under SECOM Trust Systems (hereinafter referred to as “SECOM”).

SECOM is advancing the transition to a new root CA in accordance with Mozilla's Root CA Lifecycles.
To continue providing services with the new subordinate CA, JPRS will apply for the Externally Operated Subordinate CA this time.

SECOM plans to continue working closely with JPRS to maintain the Externally Operated Subordinate CA on going forward.

Will SECOM please provide additional information for the Value Justification (especially regarding the minimization of operational and compliance risk)?

Thanks,
Ben

Flags: needinfo?(cainfo)

The following review of the JPRS CP/CPS ver. 2.00 incorporates results from a new analysis tool that I’m evaluating. I’ve checked the output and found it helpful in surfacing key points, though I have not yet completed a full detailed review.

JPRS CP/CPS (v2.00 — 2025-08-22) — TLS-Only Compliance Review

CPS Compliance Reviewer (Analysis date: 2025-11-03 (America/Denver))

Executive Summary

Scope: TLS server certificates only, as requested. Review based on: BR v2.1.7 [2025-10], Mozilla Root Store Policy (MRSP) v3.0, RFC 3647, NCSSRs v2.0.5, and Past_Findings_v2025-10.json. JPRS CP/CPS version and change log confirmed (v2.00, 2025-08-22; integrated CP/CPS and clarified BR alignment).

Overall verdict: Mostly Compliant. The CP/CPS shows strong alignment with recent BR and MRSP changes (MPIC, linting/self-audit, mass revocation planning), but contains policy-level conflicts and gaps that must be corrected to be fully compliant.

High priority findings

  1. Audit report disclosure language conflicts with BR 8.6 — Section 8.6 of the CP/CPS is ambiguous because it states results “will not be externally disclosed”, but it does say that certain information will be disclosed pursuant to WebTrust. BR 8.6 and other relevant root store policies require public availability via the CCADB within three months. Must fix to avoid program non-compliance.

  2. Mass-revocation planning/testing not explicitly committed per BR 5.7.1.2 — CP/CPS has disaster/continuity text, and says “Beginning 2025-09-01, the CA shall prepare and maintain comprehensive and actionable plans to address mass revocation events in accordance with the provisions of the Mozilla Root Store Policy.”, but lacks an explicit CPS assertion regarding a program and annual exercises now required. High risk of non-compliance as of 2025-12-01 enforcement.

Key compliance themes

  • Identity & issuance controls: BR-aligned domain validation catalog, CAA, MPIC explicitly incorporated; deprecations dated.

  • Operational resilience & revocation: OCSP/CRL availability and response times stated, but mass-revocation CPS commitments need tightening.

  • Quality controls: Linting (TBS and issued certs) and Self-Audit 8.7 sections present and reflect the 2025 changes.

High-Level Section-by-Section Review

Note: Each major section maps to RFC 3647 headings; clause citations reference BR v2.1.7 [2025-10] and MRSP v3.0 where applicable.

Section 1 — Introduction (1.1–1.6)

Quick Verdict: Compliant
Clause Mapping: RFC 3647 §1; BR §1.6, §1.3; MRSP (general program references)

Findings

  1. Issue: Standards list and RFC 3647 conformance are well-stated.
    Severity: Low (positive confirmation)
    Evidence: Standards table; explicit RFC 3647 conformance.
    Impact: Clear scope for TLS programs.
    Recommendation: None.

Ambiguities & Terminology: Minor editorial inconsistencies; acceptable.

Section 2 — Publication and Repository Responsibilities

Quick Verdict: Compliant
Clause Mapping: RFC 3647 §2; BR §2.2; MRSP disclosure expectations

Findings

  1. Issue: Repository 24×7 access, annual CPS review cadence clearly stated.
    Severity: Low (positive)
    Evidence: 24×7 repository; “revised at least once every 365 days.”
    Recommendation: None.

Section 3 — Identification and Authentication

Quick Verdict: Compliant
Clause Mapping: RFC 3647 §3; BR §3.2.2.4 (validation methods), §3.2.2.8 (CAA), §3.2.2.9 (MPIC)

Findings

  1. Issue: Validation methods comprehensively enumerated; deprecation date set for WHOIS email (3.2.2.4.2) in line with BR deprecations.
    Severity: Low (positive)
    Evidence: “For certificates issued on or after 2025-7-10, this method will no longer be applicable.”
    Citations: BR §3.2.2.4 (methods & deprecations).

  2. Issue: CAA processing and MPIC explicitly included, with multi-perspective requirements for website-based methods.
    Severity: Low (positive)
    Evidence: 3.2.2.8 CAA; 3.2.2.9 MPIC and network perspectives.
    Citations: BR §3.2.2.8, §3.2.2.9 (effective 2025-03-15).

  3. Issue: Onion names excluded; ACME methods referenced.
    Severity: Low (positive)
    Evidence: “The CA doesn’t issue certificates if ‘.onion’ is included …”; ACME-related methods listed.

Gaps & Omissions: None material.

Section 4 — Certificate Life-Cycle Operational Requirements

Quick Verdict: Partially Compliant
Clause Mapping: RFC 3647 §4; BR §4.3.1.2/§4.3.1.3 (linting), §4.9 (revocation), §4.10 (status services)

Findings

  1. Issue: Linting of TBS and issued certificates included (4.3.1.2, 4.3.1.3).
    Severity: Low (positive)
    Evidence: Explicit subsections present.
    Citations: BR §4.3.1.2; §8.7.

  2. Issue: Revocation request handling 24×7 and timelines aligned; acceptance via ACME and designated business enterprise documented.
    Severity: Low (positive)
    Evidence: 4.9.3, 4.9.4, 4.9.5.
    Citations: BR §4.9.3–§4.9.5.

  3. Issue: OCSP/CRL service performance clearly stated (≤10s response, 24×7).
    Severity: Low (positive)
    Evidence: 4.10.1–4.10.2.
    Citations: BR §4.9.10 / §4.10 (freshness/availability).

  4. Issue: Special handling of key compromise (web form + evidence) is thorough.
    Severity: Low (positive)
    Evidence: 4.9.12 details.

Gaps & Omissions: None material.

Section 5 — Facility, Management, and Operational Controls

Quick Verdict: Partially Compliant
Clause Mapping: RFC 3647 §5; NCSSR v2.0.5 (incorporated by reference)

Findings

  1. Issue: NCSSR incorporation by reference and security program elements clearly listed.
    Severity: Low (positive)
    Evidence: “NCSSR fully incorporated … security program … risk assessments.”

  2. Issue: Mass-revocation planning/testing not asserted per BR 5.7.1.2.
    Severity: High
    Evidence: Business continuity (5.7.4) discusses disaster recovery, but no CPS-level assertion of mass-revocation plan and annual exercises required by BR 5.7.1.2.
    Impact: Elevated risk during large-scale incident; non-conformance after 2025-12-01 if not fixed.
    Recommendation (normative text): See BR 5.7.1.2, MRSP 6.1.3, and https://wiki.mozilla.org/CA/Mass_Revocation_Events
    Citations: BR §5.7.1.2 (effective 2025-12-01), MRSP §6.1.3.
    Past Context: New requirement.

Section 6 — Technical Security Controls

Quick Verdict: Compliant / Clarifications
Clause Mapping: RFC 3647 §6; BR §6.1.5/§6.1.6; NCSSRs

Findings

  1. Issue: CA key generation controls described (witness/video, HSM FIPS 140-1 L3 reference).
    Severity: Low (clarity)
    Evidence: 6.1.1.
    Impact: Referencing “FIPS 140-1” is archaic; clarify current validations (e.g., FIPS 140-2/140-3).
    Recommendation: Update to current FIPS level and module certification.
    Citations: BR §6.2; NCSSR.

  2. Issue: Weak key protections (Debian weak keys, etc.) included.
    Severity: Low (positive)
    Evidence: 6.1.1 enumerated checks.

Section 7 — Certificate, CRL, and OCSP Profiles

Quick Verdict: Compliant
Clause Mapping: RFC 3647 §7; BR §7.1–§7.3

Findings

  1. Issue: OU deprecation handled; name form rules stated; BR OIDs referenced.
    Severity: Low (positive)
    Evidence: 7.1.4 name forms; BR policy OIDs listed.

  2. Issue: OCSP profile forbids reasonCode in singleExtensions (correct).
    Severity: Low (positive)
    Evidence: 7.3.2.

Section 8 — Compliance Audit and Other Assessments

Quick Verdict: Partially Compliant
Clause Mapping: RFC 3647 §8; BR §8.1–§8.7; MRSP v3.0 (disclosure)

Findings

  1. Issue: Annual external audits stated.
    Severity: Low (positive)
    Evidence: 8.1.

  2. Issue: Self-Audits section present and updated (v1.54 change log; 8.7).
    Severity: Low (positive)
    Evidence: Change log notes revisions to 8.7; 8.7 present in TOC.
    Citations: BR §8.7 (effective 2025-03-15).

  3. Issue: Public disclosure of audit results not explicitly committed to per BR §8.6 (within 3 months).
    Severity: Moderate
    Evidence: 8.6 heading exists; language insufficient to guarantee public posting within BR timelines.
    Recommendation: Add binding publication timeline and URL as in Section 2.
    Citations: BR §8.6.

Section 9 — Other Business and Legal Matters

Quick Verdict: Compliant / Minor edits
Clause Mapping: RFC 3647 §9; MRSP open-licensing expectations

Findings

  • No blocking issues noted. (If CP/CPS is published under an open license per MRSP expectations, keep explicit license statement; otherwise, add one.)

References (by knowledge base)

  • Baseline Requirements — BR v2.1.7 [2025-10]: §5.7.1.2 mass-revocation; §4.9.3 revocation 24×7; §4.9/§4.10 status; §4.3.1.2 linting; §8.6 audit disclosure; §8.7 self-audit.

  • MRSP v3.0: program disclosure expectations (mapped where applicable).

  • RFC 3647: section mapping throughout (framework).

  • NCSSR v2.0.5: incorporated by reference in CP/CPS security controls.

  • JPRS CP/CPS v2.00 (2025-08-22): document body and profiles as cited throughout.

(In reply to Ben Wilson from comment #4)

Will SECOM please provide additional information for the Value Justification (especially regarding the minimization of operational and compliance risk)?

1. Benefits to Firefox and Japanese Internet Users

  • JPRS provides TLS certificates primarily for .jp domain holders, ensuring stronger identity assurance for Japanese websites accessed by Firefox users.
  • The localization of validation services (in Japanese, during local business hours, and under Japanese jurisdiction) improves accuracy and responsiveness, enhancing the trust experience for Firefox users in Japan.
  • By aligning its issuance processes with the .jp domain registry data, JPRS reduces the risk of domain-related misissuance and contributes to a more secure namespace for Japanese users.
  • Continued operation of the JPRS CA ensures stability and continuity of services for numerous .jp websites already relied upon by Mozilla’s user base.

2. Public Value and Ecosystem Contribution

  • JPRS’s certificate services reinforce the integrity and trustworthiness of Japan’s national internet infrastructure, benefiting the broader Web PKI ecosystem.
  • JPRS contributes to public security initiatives such as DNSSEC deployment, educational outreach, and promoting HTTPS adoption among Japanese small and medium-sized businesses.
  • JPRS and SECOM actively participate in the CA/Browser Forum, helping to represent regional perspectives and advance best practices that ultimately strengthen Firefox users’ trust globally.

3. Evidence of Trustworthiness and Proven Track Record

  • Since 2016, JPRS has operated under SECOM’s root as an externally managed CA.
  • Independent WebTrust for CA and BR audit reports have consistently confirmed JPRS’s compliance with all applicable requirements.
  • Audit oversight is maintained by SECOM to ensure consistent operational control and compliance verification.
  • JPRS’s operations are technically segregated but subject to SECOM’s oversight and annual review, ensuring that all controls remain equivalent to SECOM’s own trusted CA operations.

4. Risk Mitigation and Operational Oversight

  • SECOM maintains contractual and procedural control over the JPRS subordinate CA, including key ceremony participation, issuance constraints, and incident response authority.
  • The externally operated CA operates under mutually agreed technical and procedural safeguards, ensuring issuance only within predefined scope and subject to SECOM’s compliance monitoring.
  • Certificate profiles, issuance systems, and policy documentation are jointly managed and reviewed, minimizing any risk that external operation could weaken overall CA governance.
  • Both SECOM and JPRS maintain dedicated compliance liaisons to ensure alignment with Mozilla’s Root Store Policy and timely reporting through the CCADB.

5. Ongoing Assurance

  • SECOM and JPRS are coordinating the migration to SECOM’s new root hierarchy consistent with Mozilla’s Root CA Lifecycle expectations.
  • The new subordinate CA will employ modern automation and management support tools to further reduce human error and issuance latency.
  • SECOM commits to continuing transparent public reporting of JPRS operations through CCADB disclosures and incident reporting channels.

Best regards,

ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.

Flags: needinfo?(cainfo)

(In reply to Ben Wilson from comment #5)

The following review of the JPRS CP/CPS ver. 2.00 incorporates results from a new analysis tool that I’m evaluating. I’ve checked the output and found it helpful in surfacing key points, though I have not yet completed a full detailed review.

Dear Ben-san,

Thank you for sharing the compliance review results and for providing detailed observations based on your evaluation of the new analysis tool.
We will promptly address the high-priority findings.
In addition to these, we will also review and consider necessary corrections for other improvements identified during the review to ensure full compliance and consistency.
The updated version will be published before the enforcement date, and we will notify you once it is available in the repository.
We sincerely appreciate your thorough review and guidance.
Once you have completed a full detailed review, we will confirm accordingly.

Best regards,

ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.

I believe that this request is very close to being ready for a 3-week public discussion - according to https://wiki.mozilla.org/CA/External_Sub_CAs#Public_Discussion, "Prior to public discussion on the Mozilla dev-security-policy mailing list or the CCADB Public list, the root CA operator must attest that it has verified all the required documentation."

Whiteboard: [ca-cps-review] → [ca-ready-for-discussion]

(In reply to Ben Wilson from comment #8)

Dear Ben-san,

Thank you for your message.
The CP/CPS for JPRS will be published on 2025-11-28.
SECOM will review the documentation after publication and will contact you once the verification is complete.

Best regards,

ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.

Dear Ben-san,

Please allow us to provide an update.
The CP/CPS for JPRS was published on 2025-11-28 as scheduled.
SECOM reviewed and completed the verification of the documentation.
https://jprs.jp/pubcert/info/repository/

Best regards,

ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.

The public discussion for this request was initiated on February 2, 2026, on dev-security-policy:

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/KwiE16xP6iE/m/Lspx01kKAgAJ

The discussion period concluded on February 23, 2026. No unresolved concerns were raised during the public review.

Accordingly, JPRS (Japan Registry Services Co., Ltd.) is approved as an externally-operated subordinate CA under SECOM’s roots for the issuance of TLS server authentication certificates, pursuant to MRSP §8.4.

This approval is effective as of February 23, 2026, and is subject to continued compliance with Mozilla Root Store Policy and applicable CA/Browser Forum requirements.

Whiteboard: [ca-ready-for-discussion] → [ca-approved]
Status: ASSIGNED → RESOLVED
Closed: 2 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: