ACCV (Autoritat de Certificacio de la Comunitat Valenciana) is a CA operated by the government of the Valencia region of Spain.

Seguridad y Sistemas de Informacion S.L. Informe de Auditoria Independiente

CRL http://ocsp.pki.gva.es/ DV, IV Declaracion de Practicas de Certificacion (CPS) de la ACCV, v1.7 http://bugzilla.mozilla.org/show_bug.cgi?id=274100

IdenTrust is a for-profit corporation serving the private, commercial and government sectors.

Ernst and Young Audit Report and Management's Assertions

CRL http://ocsp.digsigtrust.com DV TrustID CP v1.3.1 IdenTrust CPS v2.2 https://bugzilla.mozilla.org/show_bug.cgi?id=359069

CRL https://ocspaces.trustdst.com DV Certificate Policy v20040506_1 Certificate Practice Statement v4.1 https://bugzilla.mozilla.org/show_bug.cgi?id=359069

Trustwave is a commercial CA serving customers worldwide; it includes the former SecureTrust and XRamp CAs. At this time there are no subordinate CAs for any of these roots; instead end entity certificates are issued directly from the roots as noted below, with different classes of certificates under different certificate policies. Note that each root CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc.

Boysen & Miller PLLC Audit Report and Management's Assertions

Root CA certificate utilized for issuing SSL certificates (OV and EV) and code signing certificates.

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and (in future) code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409838 https://bugzilla.mozilla.org/show_bug.cgi?id=418907

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409840 https://bugzilla.mozilla.org/show_bug.cgi?id=418902 Note that this root CA certificate is already included in the Mozilla list. The present request is to enable this CA certificate for EV.

Korea Information Security Agency (KISA) is the Electronic Signature Authorization Management Center for South Korea. The Korean Certification Authority Central (KCAC) of KISA issues certificates to six (6) intermediate CAs ("licensed CAs" or LCAs), which then issue end entity certificates to Korean citizens, businesses, and other organizations.

Ministry of Information and Communication, Republic of Korea Public statement by MIC re KISA/KCAC audit

Certificates are issued from this root only to KISA's 6 LCAs (Licensed CAs), not directly to end entities. Note that this root is apparently being phased out in favor of the KISA RootCA 1.

CRL DV and IV CPS 1.1 (English) CPS 1.3 (Korean) Certificate issuing procedure (Korean) Web Server Security, Code-Signing, Secure E-mail Certificates Issuance Administration Guideline (English) https://bugzilla.mozilla.org/show_bug.cgi?id=335197

Certificates are issued from this root only to KISA's 6 LCAs (Licensed CAs), not directly to end entities. Note that this root CA is replacing CertRSA01.

CRL DV and IV CPS 1.1 (English) CPS 1.3 (Korean) Certificate issuing procedure Web Server Security, Code-Signing, Secure E-mail Certificates Issuance Administration Guideline (English) https://bugzilla.mozilla.org/show_bug.cgi?id=335197

Certificates are issued from this root only to KISA's 6 LCAs (Licensed CAs), not directly to end entities.

SwissSign AG is a commercial CSP that provides certification services for individual and corporate customers. SwissSign operates the certificate authority for the Swiss Post and is mostly focused on Switzerland but Registration Services may be used internationally. The "Platinum G2" Root CA currently has 3 subordinate CAs, the "Gold G2" Root CA has 2 and the "Silver G2" Root CA has 3.

KPMG Swiss Accreditation Service Certified Bodies List SAS details for SwissSign

The SwissSign Platinum CA - G2 root has three subordinate CAs. The SwissSign Qualified Platinum CA - G2 issues "qualified" certificates according to Swiss digital signature law (ZertES). The SwissSign Personal Platinum CA - G2 issues certificates for natural persons and organizations. The Swiss Post Platinum CA - G2 issues the "Postzertifikat", a product of the Swiss Post. (Note that each of the subordinate CAs has its own CP/CPS separate from the CP/CPS of the root.) The Platinum CAs require that keys be generated on Secure Signature Creation Devices (SSCDs); since such devices are not used with servers, this hierarchy is enabled for email and object signing uses only.

CRL http://ocsp.swisssign.net/34C58C2353ADD6DEE70092B06BFA269451CA07E4 IV SwissSign Platinum Root CP/CPS SwissSign Qualified Platinum CP/CPS SwissSign Personal Platinum CP/CPS Swiss Post Platinum CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

The "Gold G2" root CA currently has two subordinate CAs: "Personal" issues certificates for natural persons and organizations, while "Server" issues certificates for systems. This root CA may also operate other customer-specific Issuing CAs if and only if they fully comply with all the stipulations of the "Gold G2" CP/CPS.

CRL http://ocsp.swisssign.net/0E414F33ED1FEE8DAF6A1916B706D286B253008A IV SwissSign Gold CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

The "Silver G2" root CA currently has three subordinate CAs: "Personal" issues certificates for natural persons and organizations, "Server" issues certificates for systems, and "Switch" is operated for a customer that issues certificates for the academic community

CRL http://ocsp.swisssign.net/A5045DFC48B74304F31B3B90ACB036034D6AC84F IV SwissSign Silver CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

DCSSI is a part of the French Government. It issues certificates to French Government websites which are used by the general public. Each department has a sub CA; there are at least 20 at the moment, and potentially up to 60.

Secretariat Général de la Défense Nationale Documents Classified!

3 DV https://bugzilla.mozilla.org/show_bug.cgi?id=368970 No CRL or OCSP. No CPS or CP.

DV https://bugzilla.mozilla.org/show_bug.cgi?id=368970 No CRL or OCSP. No CPS or CP. Audit documents are classified.

Microsec Ltd. is a Hungarian certificate authority.

Hungarian Government National Communications Authority Authority statement

Qualified services (list of CRLs) Non-qualified services (list of CRLs) OV Qualified Certificate CPS ETSI TS 101.456, QCP public CP ETSI TS 101.456, SSCD CP Non-qualified Certificates CPS (electronic signatures) ETSI TS 102.042, NCP+ CP ETSI TS 102.042, NCP CP ETSI TS 102.042, NCP and ETSI TS 102.042, LCP CP Non-qualified Certificates CPS (other uses) https://bugzilla.mozilla.org/show_bug.cgi?id=370505

Deutscher Sparkassen Verlag GmbH is the world's largest smartcard provider and the central certification service provider for all German savings banks. This CA exists to enable up to 40 million German customers (end-users) to use their banking card as a certificate based signature, encryption and authentication device.

TÜV-IT ETSI TS 101.456 Certificate TÜV-IT ETSI TS 102.042 Certificate

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp-q.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp-q.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp-q.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627

DigiNotar is a Dutch trusted third party, mainly operating in the Netherlands. They issue certificates based on notary verification of applicants. They service the business, government and consumer markets.

Price Waterhouse Coopers ETSI Certificate

This is the top root, used only to issue CA certificates for five application-specific subordinate CAs: DigiNotar Public CA 2025 (non-qualified personal certificates), DigiNotar Qualified CA (qualified personal certificates), DigiNotar Services CA (SSL and object signing certificates), DigiNotar Extended Validation CA (EV certificates), and DigiNotar Private CA (CA certificates for organizational CAs).

CRL http://validation.diginotar.nl DV, IV, EV (policy OID ??) CPS DigiNotar 30 October 2007, Version 3.5 https://bugzilla.mozilla.org/show_bug.cgi?id=369357

The Telekom-Control Commission is the Austrian supervisory authority for electronic signatures. Its responsibility includes supervision of all certification service providers established in Austria. For every CA key used by an Austrian certification service provider, the TKK issues a certificate to the certification service provider. Based on these certificates, all certificates issued by supervised Austrian certification service providers can be verified. There are five subordinate CAs, each of which issues certificates for a different purpose.

Secure Information Technology Center - Austria Conformity Assessment Statement

The TKK issues certificates to certification service providers who are supervised according to the Austrian Electronic Signatures Act. The corresponding private keys of certification service providers are used for issuing certificates to end entities (signatories).

CRL OV Certificate Policy Certificate Practice Statement https://bugzilla.mozilla.org/show_bug.cgi?id=373174 CRL doesn't work in Firefox - bug 133191.

VeriSign is a major commercial CA with worldwide operations and customer base.

KPMG Audit Report and Management's Assertions KPMG CA-supplied auditor's letter re WebTrust EV audit

This CA issues a CA certificate to the subordinate CA "VeriSign Class 3 Extended Validation SSL SGC CA", which in turn issues Extended Validation certificates for SSL-enabled servers.

CRL http://evintl-ocsp.verisign.com/ EV (policy OID 2.16.840.1.113733.1.7.23.6) VeriSign Certification Practice Statement, Version 3.5 VeriSign Trust Network Certificate Policies, Version 2.5 https://bugzilla.mozilla.org/show_bug.cgi?id=402947 https://bugzilla.mozilla.org/show_bug.cgi?id=422921 Note that for compatibility reasons VeriSign has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter VeriSign EV certificates then they will end up treating this CA as a subordinate CA under the existing VeriSign Class 3 Public Primary CA root.

This root CA (also known as PCA3 - G1) participates in the cross-signing scheme by which EV certs issued under the VeriSign Class 3 Public Primary Certification Authority - G5 hierarchy may chain up to existing VeriSign roots.

This root CA (also known as PCA3 - G2) participates in the cross-signing scheme by which EV certs issued under the VeriSign Class 3 Public Primary Certification Authority - G5 hierarchy may chain up to existing VeriSign roots.

This root CA (also known as PCA3 - G3) participates in the cross-signing scheme by which EV certs issued under the VeriSign Class 3 Public Primary Certification Authority - G5 hierarchy may chain up to existing VeriSign roots.

WISeKey operates the CertifyID Trust Service, which supports customer-specific CAs under a CA hierarchy rooted at the WISeKey Global Root GA CA and containing Policy CAs (subordinate to the root) and Issuing CAs (subordinate to the Policy CAs). Note that all end-entity certificates are issued by the Issuing CAs under policies set by WISeKey.

WTE y E. Álvarez Auditores, S.L. Audit Report and Management's Assertions

As noted above, the Global Root GA CA is the one and only root for the entire CertifyID system. It issues CA certificates to Policy CAs, which in turn issue CA certificates to Issuing CAs. There are three types of Policy CAs (Standard, Advanced, and Qualified) and three types of Issuing CAs corresponding to these, each issuing a different class of certificates; verification requirements for applicants vary by class.

CRL IV OISTE WISeKey Root CPS 1.01 CertifyID Identity Validation Overview, Version 1.0 WISeKey SA Advanced Services Issuing Certification Authority Certification Practice Statement, Version 1.01 Technical Security Controls WD0011 - Version 1.0.1 Table comparing the three different classes of end-entity certificates issued by Issuing CAs. https://bugzilla.mozilla.org/show_bug.cgi?id=371362 Note that the CPS for the root CA addresses only procedures related to issuance of certificates for its subordinate CAs. Issues related to issuance of end entity certificates are addressed in the other two documents references, in particular the CPS for the Advanced Services Issuing CA.

a.trust is an accredited Trust Center in Austria issuing smartcard-based qualified certificates for Austrian citizens, to be used in eGovernment, etc.

The intermediate CAs below this CA issue only qualified smartCard-based certificates to a natural person after a face-to-face identification.

CRL http://ocsp.a-trust.at/ocsp IV Full list of CPs Full list of CPSes https://bugzilla.mozilla.org/show_bug.cgi?id=373746

The intermediate CAs below this CA issue qualified smartCard-based certificates to a natural person after a face-to-face identification, smartCard-based certificates to a natural person after a face-to-face identification (eg.: email), and server certificates (eg. SSL) after domain-verification.

CRL http://ocsp.a-trust.at/ocsp DV, IV Full list of CPs Full list of CPSes https://bugzilla.mozilla.org/show_bug.cgi?id=373746 Presumably the sub-CA for which they have given a CP/CPS is only signed by one of these four...

The intermediate CAs below this CA issue smartCard-based certificates to a natural person after a face-to-face identification (eg.: email), software certificates (pKCS#12), and server certificates (eg. SSL) after domain-verification

CRL http://ocsp.a-trust.at/ocsp DV, IV Full list of CPs Full list of CPSes https://bugzilla.mozilla.org/show_bug.cgi?id=373746

ARGE DATEN, the Austrian Society for Data Protection is a non-profit non-governmental organisation. It is the Austrian market leader in issuing certificates for eBilling. It operates subordinate CAs for eBilling, SSL Server Certificates, SSL Client Certificates, and members of governmental institutions.

This root certificate issues both end-user certificates and CA certificates. It is the current root certificate of ARGE DATEN.

CRL http://ocsp.a-cert.at IV A-CERT Certificate Policy v1.5 https://bugzilla.mozilla.org/show_bug.cgi?id=348987

This root certificate will not directly issue end-user certificates. It is used to issue the subordinate CA certificates which in turn issue the end-user certificates. This certificate is the successor to the A-CERT ADVANCED root certificate.

CRL http://ocsp.a-cert.at IV GLOBALTRUST Certificate Policy v1.2 https://bugzilla.mozilla.org/show_bug.cgi?id=348987

Trustis is a commercial CA operating primarily in the UK and Europe.

KPMG Audit Report and Management Assertions Lloyds Register Quality Assurance Service Description and Profile details

CRL IV Trustis FPS Root CP v1.04 PKI Disclosure Statement v1.04 Trustis CPS v1.1 https://bugzilla.mozilla.org/show_bug.cgi?id=324126

TÜRKTRUST is a Turkish CA issuing qualified certificates in Turkey.

Turkish Telecommunications Authority Letter of Official CA Statement List of accredited CAs Audit statement on auditor website

Root 1 is a "legacy" root included for compatibility with previously-issued certificates. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV CPS v03 (English) https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Root 2 is the new root that replaced Root 1; Root 2 is used for certificates currently being issued. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV CPS v03 (English) https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordiate CAs for enterprise and commercial use.

Deloitte and Touche LLP Audit Report and Management's Assertions

This root was primarily created as the trust root for Entrust EV SSL certificates.

CRL http://ocsp.entrust.net OV, EV CPS v2.06 https://bugzilla.mozilla.org/show_bug.cgi?id=382352

ComSign is a commercial Israeli CA.

Used for signing subordinates for issuing digital ID's to individuals and corporations in accordance w/ the Israeli Electronic Signature Law.

CRL IV CPS https://bugzilla.mozilla.org/show_bug.cgi?id=382158

Used for signing subordinates for issuing digital ID's to individuals and corporations in accordance w/ the Israeli Electronic Signature Law.

CRL DV, IV, EV CPS https://bugzilla.mozilla.org/show_bug.cgi?id=382158

Used for signing subordinates for issuing digital ID's to individuals and corporations in accordance w/ the Israeli Electronic Signature Law.

CRL DV, IV, EV CPS https://bugzilla.mozilla.org/show_bug.cgi?id=382158

Kamu Sertifikasyon Merkezi is the one government CA in Turkey that has authorization to issue certificates to government entities. They are also authorised to issue to commercial companies.

Turkish Telecommunications Authority Letter from the TA TTA statement of ETSI compliance

CRL http://ocsp.kamusm.gov.tr DV, IV CP CPS https://bugzilla.mozilla.org/show_bug.cgi?id=381974

Izenpe is owned by the government of the Basque country, Spain.

BSI Management Systems ETSI Certificate

CRL http://ocsp.izenpe.com:8094 DV, OV Declaración de Prácticas de Certificación v3.8 https://bugzilla.mozilla.org/show_bug.cgi?id=361957

T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.

T-Systems GEI ETSI 101.456 Certificate of Compliance

CRL IV CP v1.1 CPS v1.0 CPS v1.1 (English) CP v1.2 (English) https://bugzilla.mozilla.org/show_bug.cgi?id=378882

TC TrustCenter is a commercial CA based in Germany. They offer a variety of products and services including SSL Server certificates and Email certificates.

TÜV-IT Germany ETSI TS 102.042 LCP Certificate

This root is used for email and SSL client auth only.

CRL http://ocsp.tcclass1.trustcenter.de/ DV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

This Root is being used to issue all types of certificate, e.g. Email Security, SSL-Client-Authentication, SSL-Server, CodeSigning.

CRL http://ocsp.tcclass2-ii.trustcenter.de IV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

This Root is being used to issue all types of certificate, e.g. Email Security, SSL-Client-Authentication, SSL-Server, CodeSigning.

CRL http://ocsp.tcclass3-ii.trustcenter.de IV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

This Root is being used to issue all types of certificate, e.g. Email Security, SSL-Client-Authentication, SSL-Server, CodeSigning.

CRL http://ocsp.tcclass4-ii.trustcenter.de EV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

This Root is being used to issue all types of certificate, e.g. Email Security, SSL-Client-Authentication, SSL-Server, CodeSigning.

CRL http://ocsp.tcuniversal-i.trustcenter.de DV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

This Root is being used to issue all types of certificate, e.g. Email Security, SSL-Client-Authentication, SSL-Server, CodeSigning.

CRL http://ocsp.tcuniversal-ii.trustcenter.de DV CP (October 23rd, 2006) TC TrustCenter GmbH CPS v1.6 https://bugzilla.mozilla.org/show_bug.cgi?id=392024

SECOM Trust Services Co., Ltd are a commercial CA based in Japan.

PricewaterhouseCoopers Aarata Report of Independent Certified Public Accountant KPMG Audit Report and Management's Assertion

CRL EV Security Communication EV RootCA1 Certification Practice Statement, Version 1.00 (Japanese) Security Communication EV RootCA1 Subordinate CA Certificate Policy, Version 1.00 (Japanese) https://bugzilla.mozilla.org/show_bug.cgi?id=394419

QuoVadis is a commercial CA, based in Bermuda and operating globally. QuoVadis is a Qualified Certification Services Provider in Switzerland.

Ernst & Young (Technology and Security Risk Services) Audit Report and Management's Assertions KPMG Swiss Accreditation Service statement Ernst & Young CA-supplied auditor's letter re WebTrust EV audit

This root will be used for SSL/device certificates, including standard "organisation validated" certificates as well as EV certificates. The associated EV policy OID is 1.3.6.1.4.1.8024.0.2.100.1.2.

CRL http://ocsp.quovadisglobal.com/ OV, EV QuoVadis Root CA2 CP/CPS v1.8 https://bugzilla.mozilla.org/show_bug.cgi?id=403665 https://bugzilla.mozilla.org/show_bug.cgi?id=418701 Note that this root CA certificate is already included in the Mozilla list (per bug 365281). The present request is to enable this CA certificate for EV.

DigiCert is a US-based commercial CA with headquarters in Lindon, UT. DigiCert provides digital certification and identity assurance services internationally to a variety of sectors including business, education, and government.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

CRL http://ocsp.digicert.com OV, EV (policy OID 2.16.840.1.114412.2.1) DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.6 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=403644 https://bugzilla.mozilla.org/show_bug.cgi?id=416827 Note that this root CA certificate is already included in the Mozilla list. The present request is to enable this CA certificate for EV.

Comodo CA Ltd is a commercial CA based in the UK and serving customers worldwide. Comodo has eleven root CA certs already included in Mozilla, all of which it would like upgraded for EV use, and one additional EV root requested for inclusion. There are altogether 124 subordinate CAs signed by the root CAs listed below. Some of them exist to differentiate between different Comodo brands or products and some are used to re-brand products for its partners. In each case Comodo retains the private key for the subordinate CA within its infrastructure.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria