Open Bug 2026208 Opened 2 months ago Updated 1 month ago

Telekom Security: Transition Plan for Existing Dual-Purpose Roots

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: bwilson, Assigned: bwilson)

Details

(Whiteboard: [transition-plan])

Transition Plan for Existing Dual-Purpose Roots

TLS

After the inclusion of Telekom Security’s new TLS Roots in the Chrome Root Store at the end of February, Telekom Security issued two cross-certificates from the TeleSec Global Root Class 3 to the Telekom Security TLS ECC Root 2020 and the Telekom Security TLS RSA Root 2023.

Telekom Security also issued new TLS Sub-CAs under the new TLS Roots to support the transition, ensuring readiness to migrate TLS certificate issuance to the new TLS Roots within the next two months. As a result, the last TLS subscriber certificates issued under Telekom Security’s legacy Root CAs are expected to expire in April 2027. After that point, all TLS certificates will chain exclusively to dedicated TLS Roots.

Note: Telekom Security has also issued new TLS certificates under the Telekom Security TLS RSA Root 2023 for TeleSec Global Root Class 3 test websites and has incorporated the cross-certified trust path in those deployments.

S/MIME

As Apple has indicated plans to include Telekom Security’s new Root CAs in its fall release, Telekom Security currently expects to transition to the new dedicated S/MIME Root CAs for issuing S/MIME certificates by the end of the year.

Accordingly, the last S/MIME certificates issued under the “T-TeleSec Global Root Class 2” are expected to expire in the fourth quarter of 2028. After that, all S/MIME certificates will chain exclusively to dedicated S/MIME Roots.

Whiteboard: [transition-plan]
Assignee: nobody → bwilson
Status: NEW → ASSIGNED

We have to slightly adjust our TLS transition plan to ensure that some legacy applications that do not fall within the scope of browsers remain functional.
Due to requests from internal customers who provide services for a very large number of older devices (phones, PBX systems) that rely exclusively on the old Root CA “T-TeleSec GlobalRoot Class 2” and cannot be updated, we will continue to issue TLS certificates for these legacy applications under the aforementioned old Root CA. The issuance will be strictly limited to a small group of known customers.
For all other customers, we will transfer the issuance of TLS certificates to the new Root CAs as stated above within the next two weeks. Accordingly, the phasing out of the old Root CA from the browsers’ Root Stores can proceed as planned, and our next step will be to contact the Root Stores to remove the TLS trust bit for “T-Telesec GlobalRoot Class 2” by May 2027 (unless this is already planned) in order to transition this public Root CA to a private Root CA from a TLS perspective.
If there are any questions or concerns, we look forward to receiving feedback.

You need to log in before you can comment on or make changes to this bug.