DigiCert is a US-based commercial CA with headquarters in Lindon, UT. DigiCert provides digital certification and identity assurance services internationally to a variety of sectors including business, education, and government.

KPMG Audit Report and Management's Assertions

CRL http://ocsp.digicert.com OV, EV DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.3 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=364568 https://bugzilla.mozilla.org/show_bug.cgi?id=378162

CRL http://ocsp.digicert.com OV, EV DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.3 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=364568 https://bugzilla.mozilla.org/show_bug.cgi?id=378162

CRL http://ocsp.digicert.com OV, EV DigiCert Certificate Policy and Certification Practice Statement (CP and CPS for OV), v3.0.3 DigiCert Certification Practice Statement for Extended Validation Certificates (CPS for EV), v1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=364568 https://bugzilla.mozilla.org/show_bug.cgi?id=378162

QuoVadis is a commercial CA, based in Bermuda and operating globally. QuoVadis is a Qualified Certification Services Provider in Switzerland.

Ernst & Young (Technology and Security Risk Services) Audit Report and Management's Assertions KPMG Swiss Accreditation Service statement

This root will be used for SSL/device certificates, including standard "organisation validated" certificates as well as EV certificates.

CRL http://ocsp.quovadisglobal.com/ OV, EV QuoVadis Root CA2 CP/CPS v1.7 QuoVadis Root CA2 CP/CPS v1.7 https://bugzilla.mozilla.org/show_bug.cgi?id=365281 https://bugzilla.mozilla.org/show_bug.cgi?id=378161

This root will operate under a similar CP/CPS to our existing "qualified" Root CA 1, primarily used for end user certificates.

CRL http://ocsp.quovadisglobal.com/ OV QuoVadis Root CA CP/CPS 4.3 QuoVadis Root CA CP/CPS 4.3 https://bugzilla.mozilla.org/show_bug.cgi?id=365281 https://bugzilla.mozilla.org/show_bug.cgi?id=378161

GlobalSign is a commercial CA based in Portsmouth NH and serving customers worldwide.

Deloitte (Denmark) Audit Report and Management's Assertions Ernst & Young Report of Independent Accountants and Assertion of Management Ernst & Young Report of Independent Accountants and Assertion of Management

Root CA with one subordinate CA.

CRL http://evssl-ocsp.globalsign.com/responder EV (policy OID 1.3.6.1.4.1.4146.1.1) GlobalSign Certification Practice Statement, version 6.0 GlobalSign CA Certificate Policy, version 3.0 GlobalSign CP v2.1 GlobalSign CPS v5.3 https://bugzilla.mozilla.org/show_bug.cgi?id=367245 https://bugzilla.mozilla.org/show_bug.cgi?id=378163 https://bugzilla.mozilla.org/show_bug.cgi?id=406796

Root CA with two subordinate CAs.

CRL http://evssl-ocsp.globalsign.com/responder DV, IV/OV, EV (policy OID 1.3.6.1.4.1.4146.1.1) GlobalSign Certification Practice Statement, version 6.0 GlobalSign CA Certificate Policy, version 3.0 https://bugzilla.mozilla.org/show_bug.cgi?id=406794 https://bugzilla.mozilla.org/show_bug.cgi?id=449883 https://bugzilla.mozilla.org/show_bug.cgi?id=446407 Note that a version of this root CA certificate with the same public key but an earlier expiration date (2014-01-28) is already included in the Mozilla list. This request is to replace the older certificate with this certificate and then enable this CA certificate for EV.

Keynectis is a French company, created by merging 2 previous French certification operators, Certplus and PK7.

LSTI - La Sécurité des Technologies de l'Information ETSI Certificate

CRL DV Root CA Certification Policy for SSL Services Declaration des Pratiques de Certification (CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=335392 https://bugzilla.mozilla.org/show_bug.cgi?id=379032

StartCom is a commercial corporation with customers worldwide, and is the producer and vendor of the StartCom Linux operating systems, operates the StartCom Certification Authority and MediaHost.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions

CRL http://ocsp.startcom.org/sub/class2/server/ca DV, OV, EV (policy OID 1.3.6.1.4.1.23223.2) StartCom Certification Authority Policy and Practice Statements StartCom Certification Authority Extended Validation Certificates Policy Appendix Index of Certs https://bugzilla.mozilla.org/show_bug.cgi?id=362304 https://bugzilla.mozilla.org/show_bug.cgi?id=383722 https://bugzilla.mozilla.org/show_bug.cgi?id=490495 https://bugzilla.mozilla.org/show_bug.cgi?id=490492

TÜRKTRUST is a Turkish CA issuing qualified certificates in Turkey.

Turkish Telecommunications Authority Letter of Official CA Statement List of accredited CAs Audit statement on auditor website

Root 1 is a "legacy" root included for compatibility with previously-issued certificates. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV CPS v03 (English) https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Root 2 is the new root that replaced Root 1; Root 2 is used for certificates currently being issued. The English version of the CPS applies to both roots.

CRL CRL CRL http://ocsp.turktrust.com.tr/ DV, IV CPS v03 (English) https://bugzilla.mozilla.org/show_bug.cgi?id=380635 https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Comodo CA Ltd is a commercial CA based in the UK and serving customers worldwide. Comodo has a total of 12 root CA certs included in Mozilla, and altogether 124 subordinate CAs signed by those root CAs. Some of them exist to differentiate between different Comodo brands or products and some are used to re-brand products for its partners. In each case Comodo retains the private key for the subordinate CA within its infrastructure.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

Root CA certificate with subordinate CAs issuing SSL certificates, email certificates, and code signing certificates.

CRL http://ocsp.comodoca.com/ DV, IV/OV, EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1) Comodo Certification Practice Statement, Version 3.0 Comodo Extended Validation (EV) Certification Practice Statement, Version 1.03 https://bugzilla.mozilla.org/show_bug.cgi?id=401587 https://bugzilla.mozilla.org/show_bug.cgi?id=426568 https://bugzilla.mozilla.org/show_bug.cgi?id=426572

Root ECC certificate with internal subordinate CA issuing EV SSL certificates, email certificates, and code signing certificates.

CRL http://ocsp.comodoca.com/ EV (policy OID 1.3.6.1.4.1.6449.1.2.1.5.1) Comodo Certification Practice Statement ECC Amendment to Comodo EV CPS Comodo EV Certification Practice Statement https://bugzilla.mozilla.org/show_bug.cgi?id=421946 https://bugzilla.mozilla.org/show_bug.cgi?id=450427 https://bugzilla.mozilla.org/show_bug.cgi?id=450429 This is a new EV request.

VeriSign is a major commercial CA with worldwide operations and customer base.

KPMG Audit Report and Management's Assertions KPMG CA-supplied auditor's letter re WebTrust EV audit

This CA issues a CA certificate to the subordinate CA "VeriSign Class 3 Extended Validation SSL SGC CA", which in turn issues Extended Validation certificates for SSL-enabled servers.

CRL http://evintl-ocsp.verisign.com/ EV (policy OID 2.16.840.1.113733.1.7.23.6) VeriSign Certification Practice Statement, Version 3.5 VeriSign Trust Network Certificate Policies, Version 2.5 https://bugzilla.mozilla.org/show_bug.cgi?id=402947 https://bugzilla.mozilla.org/show_bug.cgi?id=422918 https://bugzilla.mozilla.org/show_bug.cgi?id=422921 Note that for compatibility reasons VeriSign has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter VeriSign EV certificates then they will end up treating this CA as a subordinate CA under the existing VeriSign Class 3 Public Primary CA root.

Trustwave is a commercial CA serving customers worldwide; it includes the former SecureTrust and XRamp CAs. At this time there are no subordinate CAs for any of these roots; instead end entity certificates are issued directly from the roots as noted below, with different classes of certificates under different certificate policies. Note that each root CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc.

Boysen & Miller PLLC Audit Report and Management's Assertions

Root CA certificate utilized for issuing SSL certificates (OV and EV) and code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409837 https://bugzilla.mozilla.org/show_bug.cgi?id=418907 https://bugzilla.mozilla.org/show_bug.cgi?id=418910

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and (in future) code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409838 https://bugzilla.mozilla.org/show_bug.cgi?id=418907 https://bugzilla.mozilla.org/show_bug.cgi?id=418910

Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and code signing certificates.

CRL IV/OV, EV (policy OID 2.16.840.1.114404.1.1.2.4.1) SecureTrust Corporation Certificate Practice Statement for Extended Validation Certificates, Version 1.0.1 SecureTrust Corporation Certificate Practice Statement for Organizationally Validated Standard Assurance Certificates, Version 1.5.1 SecureTrust Certification Practice Statement for S/MIME Certificates, Version 1.6.0 SecureTrust Certification Practice Statement for Code Signing Certificates, Version 1.6.0 https://bugzilla.mozilla.org/show_bug.cgi?id=409840 https://bugzilla.mozilla.org/show_bug.cgi?id=418902 Note that this root CA certificate is already included in the Mozilla list. The present request is to enable this CA certificate for EV.

DigiNotar is a Dutch trusted third party, mainly operating in the Netherlands. They issue certificates based on notary verification of applicants. They service the business, government and consumer markets.

Price Waterhouse Coopers ETSI Certificate Statement of ETSI Compliance Price Waterhouse Coopers Assertion of Management and Audit Report

This is the top root, used only to issue CA certificates for five application-specific subordinate CAs: DigiNotar Public CA 2025 (non-qualified personal certificates), DigiNotar Qualified CA (qualified personal certificates), DigiNotar Services CA (SSL and object signing certificates), DigiNotar Extended Validation CA (EV certificates), and DigiNotar Private CA (CA certificates for organizational CAs).

CRL http://validation.diginotar.nl OV, EV (policy OID 2.16.528.1.1001.1.1.1.12.6.1.1.1) CPS DigiNotar 30 October 2007, Version 3.5 Overview of DigiNotar Root Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=369357 https://bugzilla.mozilla.org/show_bug.cgi?id=431621 https://bugzilla.mozilla.org/show_bug.cgi?id=493265

GeoTrust is a commercial CA with worldwide operations and customer base; it is a subsidiary of VeriSign, Inc.

KPMG Audit Report and Management's Assertions

This CA issues a CA certificate to the subordinate CA GeoTrust Extended Validation SSL CA, which in turn issues Extended Validation certificates for SSL-enabled servers.

CRL http://EVSSL-ocsp.geotrust.com/ EV (policy OID 1.3.6.1.4.1.14370.1.6) GeoTrust Certification Practice Statement, Version 1.0 (January 31, 2008) Other documents https://bugzilla.mozilla.org/show_bug.cgi?id=407168 https://bugzilla.mozilla.org/show_bug.cgi?id=424169 https://bugzilla.mozilla.org/show_bug.cgi?id=424171 Note that for compatibility reasons GeoTrust has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter GeoTrust EV certificates then they will end up treating this CA as a subordinate CA under the existing Equifax Secure CA root.

Go Daddy operates a commercial CA based in the US and serving customers worldwide.

KPMG Independent Accountants' Report

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.startfieldtech.com/ DV, IV/OV, EV (policy OIDs 2.16.840.1.114413.1.7.23.3 and 2.16.840.1.114414.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=403437 https://bugzilla.mozilla.org/show_bug.cgi?id=418958 https://bugzilla.mozilla.org/show_bug.cgi?id=403437 Both of the CA certificates below are cross-signed to the Valicert Class 2 Policy Validation Authority root for legacy support, so this root is configured to enable EV with both of the EV OIDs associated with the other certificates.

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.godaddy.com/ DV, IV/OV, EV (policy OID 2.16.840.1.114413.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=403437 https://bugzilla.mozilla.org/show_bug.cgi?id=418958 https://bugzilla.mozilla.org/show_bug.cgi?id=403437

Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.

CRL http://ocsp.starfieldtech.com/ DV, IV/OV, EV (policy OID 2.16.840.1.114414.1.7.23.3) Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=403437 https://bugzilla.mozilla.org/show_bug.cgi?id=418958 https://bugzilla.mozilla.org/show_bug.cgi?id=403437

Network Solutions is a US-based commercial CA with worldwide customer base.

KPMG Audit Report and Management's Assertions KPMG Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria

This CA has a subordinate CA, Network Solutions EV SSL CA, which issues Extended Validation certificates for SSL-enabled servers. At present there are no other subordinate CAs under this root; however in the future Network Solutions may establish additional subordinate CAs to issue non-EV certificates..

CRL IV/OV, EV (policy OID 1.3.6.1.4.1.782.1.2.1.8.1) Network Solutions Certification Practice Statement, Version 1.4.1 Certification Practice Statement (CPS) for Extended Validation (EV) Certification, Version 1.1 https://bugzilla.mozilla.org/show_bug.cgi?id=403915 https://bugzilla.mozilla.org/show_bug.cgi?id=431381 https://bugzilla.mozilla.org/show_bug.cgi?id=431384

thawte is a commercial CA with worldwide operations and customer base; it is a subsidiary of VeriSign, Inc.

KPMG Audit Report and Management's Assertions

This CA issues a CA certificate to the subordinate CAs thawte Extended Validation SSL CA and thawte Extended Validation SSL SGC CA, which in turn issue Extended Validation certificates for SSL-enabled servers.

CRL http://ocsp.thawte.com/ EV (policy OID 2.16.840.1.113733.1.7.48.1) thawte Certification Practice Statement, Version 3.5 (January 2008) https://bugzilla.mozilla.org/show_bug.cgi?id=407163 https://bugzilla.mozilla.org/show_bug.cgi?id=424152 https://bugzilla.mozilla.org/show_bug.cgi?id=424154 Note that for compatibility reasons thawte has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter thawte EV certificates then they will end up treating this CA as a subordinate CA under the existing Thawte Premium Server CA root.

Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use.

Deloitte and Touche LLP Audit Report and Management's Assertions Deloitte and Touche LLP Audit Report and Management's Assertions

This root was primarily created as the trust root for Entrust EV SSL certificates. EV certificates are issued using the Entrust Certification Authority - L1A subordinate CA.

CRL http://ocsp.entrust.net OV, EV (policy OID 2.16.840.1.114028.10.1.2) Entrust SSL Web Server Certification Practice Statement, Version 2.06 Entrust Certificate Services Certification Practice Statement for Extended Validation (EV) SSL Certificates, Version 1.01 Entrust Extended Validation Business Practices https://bugzilla.mozilla.org/show_bug.cgi?id=382352 https://bugzilla.mozilla.org/show_bug.cgi?id=387892 https://bugzilla.mozilla.org/show_bug.cgi?id=416544

SwissSign AG is a commercial CSP that provides certification services for individual and corporate customers. SwissSign operates the certificate authority for the Swiss Post and is mostly focused on Switzerland but Registration Services may be used internationally. The "Platinum G2" Root CA currently has 3 subordinate CAs, the "Gold G2" Root CA has 2 and the "Silver G2" Root CA has 3.

KPMG Swiss Accreditation Service Certified Bodies List SAS details for SwissSign KPMG Confirmation Notice of WebTrust EV Audit

The SwissSign Platinum CA - G2 root has three subordinate CAs. The SwissSign Qualified Platinum CA - G2 issues "qualified" certificates according to Swiss digital signature law (ZertES). The SwissSign Personal Platinum CA - G2 issues certificates for natural persons and organizations. The Swiss Post Platinum CA - G2 issues the "Postzertifikat", a product of the Swiss Post. (Note that each of the subordinate CAs has its own CP/CPS separate from the CP/CPS of the root.) The Platinum CAs require that keys be generated on Secure Signature Creation Devices (SSCDs); since such devices are not used with servers, this hierarchy is enabled for email and object signing uses only.

CRL http://ocsp.swisssign.net/34C58C2353ADD6DEE70092B06BFA269451CA07E4 IV SwissSign Platinum Root CP/CPS SwissSign Qualified Platinum CP/CPS SwissSign Personal Platinum CP/CPS Swiss Post Platinum CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

The "Gold G2" root CA currently has two subordinate CAs: "Personal" issues certificates for natural persons and organizations, while "Server" issues certificates for systems. This root CA may also operate other customer-specific Issuing CAs if and only if they fully comply with all the stipulations of the "Gold G2" CP/CPS.

CRL http://ocsp.swisssign.net/0E414F33ED1FEE8DAF6A1916B706D286B253008A IV, OV, EV (policy OID 2.16.756.1.89.1.2.1.1) SwissSign Gold CP/CPS R4 End User Agreement R4 SwissSign Document Repository https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396 https://bugzilla.mozilla.org/show_bug.cgi?id=492077

The "Silver G2" root CA currently has three subordinate CAs: "Personal" issues certificates for natural persons and organizations, "Server" issues certificates for systems, and "Switch" is operated for a customer that issues certificates for the academic community

CRL http://ocsp.swisssign.net/A5045DFC48B74304F31B3B90ACB036034D6AC84F IV SwissSign Silver CP/CPS https://bugzilla.mozilla.org/show_bug.cgi?id=343756 https://bugzilla.mozilla.org/show_bug.cgi?id=407396

IdenTrust is a for-profit corporation serving the private, commercial and government sectors.

Ernst and Young Audit Report and Management's Assertions

CRL http://ocsp.digsigtrust.com DV TrustID CP v1.3.1 IdenTrust CPS v2.2 https://bugzilla.mozilla.org/show_bug.cgi?id=359069 https://bugzilla.mozilla.org/show_bug.cgi?id=394733

CRL https://ocspaces.trustdst.com DV Certificate Policy v20040506_1 Certificate Practice Statement v4.1 https://bugzilla.mozilla.org/show_bug.cgi?id=359069 https://bugzilla.mozilla.org/show_bug.cgi?id=394733

DCSSI is part of the French Government. It issues certificates to French Government websites which are used by the general public. Each department has a sub CA; there are at least 20 at the moment, and potentially up to 60.

French Secretariat Général de la Défense Nationale Official decision for IGC/A homologation

This is the root certificate of the French Government CA. The IGC/A root issues a subordinate CA for each organization, which can be only a government or an administrative organization. Each of these subordinate CAs may issue end-entity certificates or additional subordinate CAs to be used for divisions within that organization. Each organization is required to follow the CP and the Government RGS/PRIS, and be audited.

CRL OV Policies and other useful information specific to this root Certificate Policy Repository General Security (RGS) Website Politique de Référencement Intersectorielle de Sécurité (PRIS) Summary of PRIS Variables de temps (for CRL frequency update) PC-Type authentification servers (for SSL) PC-Type authentification Profiles de certificats, LCR et OCSP PC-Type cachet server PC-type signature https://bugzilla.mozilla.org/show_bug.cgi?id=368970 https://bugzilla.mozilla.org/show_bug.cgi?id=477147

Microsec Ltd. is a Hungarian certificate authority.

Hungarian Government National Communications Authority Authority statement

CRL for this root List of CRLs OV Certificate Hierarchy in English CPS in English Qualified Certificate CPS ETSI TS 101.456, QCP public CP ETSI TS 101.456, SSCD CP Non-qualified Certificates CPS (electronic signatures) ETSI TS 102.042, NCP+ CP ETSI TS 102.042, NCP CP ETSI TS 102.042, NCP and ETSI TS 102.042, LCP CP Non-qualified Certificates CPS (other uses) https://bugzilla.mozilla.org/show_bug.cgi?id=370505 https://bugzilla.mozilla.org/show_bug.cgi?id=483852

Deutscher Sparkassen Verlag GmbH is the world's largest smartcard provider and the central certification service provider for all German savings banks. This CA exists to enable up to 40 million German customers (end-users) to use their banking card as a certificate based signature, encryption and authentication device.

TÜV-IT ETSI TS 101.456 Certificate TÜV-IT ETSI TS 102.042 Certificate

This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).

CRL http://ocsp-q.s-trust.de IV Certification Practice Statement for the S-TRUST Network https://bugzilla.mozilla.org/show_bug.cgi?id=370627 https://bugzilla.mozilla.org/show_bug.cgi?id=478573

WISeKey operates the CertifyID Trust Service, which supports customer-specific CAs under a CA hierarchy rooted at the WISeKey Global Root GA CA and containing Policy CAs (subordinate to the root) and Issuing CAs (subordinate to the Policy CAs). Note that all end-entity certificates are issued by the Issuing CAs under policies set by WISeKey.

WTE y E. Álvarez Auditores, S.L. Audit Report and Management's Assertions WTE y E. Álvarez Auditores, S.L. 2008 Audit Report and Management's Assertions

As noted above, the Global Root GA CA is the one and only root for the entire CertifyID system. It issues CA certificates to Policy CAs, which in turn issue CA certificates to Issuing CAs. There are three types of Policy CAs (Standard, Advanced, and Qualified) and three types of Issuing CAs corresponding to these, each issuing a different class of certificates; verification requirements for applicants vary by class.

CRL IV OISTE WISeKey Root CPS 1.01 CertifyID Identity Validation Overview, Version 1.0 Technical Security Controls WD0011 - Version 1.0.1 Table comparing the three different classes of end-entity certificates issued by Issuing CAs. https://bugzilla.mozilla.org/show_bug.cgi?id=371362 https://bugzilla.mozilla.org/show_bug.cgi?id=467138 Note that the CPS for the root CA addresses only procedures related to issuance of certificates for its subordinate CAs. Issues related to issuance of end entity certificates are addressed in the other two documents references, in particular the CPS for the Advanced Services Issuing CA.

T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.

Ernst and Young Audit Report and Management's Assertions T-Systems GEI ETSI 101.456 Certificate of Compliance

CRL OV CPS (German) CP (German) Service Description (German) CPS (English) CP (English) Service Description (English) https://bugzilla.mozilla.org/show_bug.cgi?id=378882 https://bugzilla.mozilla.org/show_bug.cgi?id=487647

TC TrustCenter GmbH is a commercial company based in Germany, with customers in all major regions of the world. TC TrustCenter offers a variety of products and services including SSL Server certificates and Email certificates.

TÜV-IT Germany ETSI TS 102.042 LCP Certificate

This root has two internally-operated subordinate CAs which issue certificates for SSL, email, and code signing. This root also has an externally-operated subordinate CA which is used to issue device certificates and email certificates for internal use only. The device name and the email address belong to a company internal domain, so the ownership is guaranteed.

CRL http://ocsp.tcclass2-ii.trustcenter.de OV http://ocsp.tcclass1.trustcenter.de/ Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

This root has one internally-operated subordinate CA which issues certificates for SSL, email, and code signing.

CRL http://ocsp.tcclass3-ii.trustcenter.de OV Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

This root has been introduced to reduce the number of root certificates in the trusted root stores. This root will have internally-operated subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates.

CRL http://ocsp.tcuniversal-i.trustcenter.de OV Hierarchy Diagram TC TrustCenter GmbH Certification Practice Statement (CPS) TC TrustCenter Certificate Policy Definitions (CPD) TC TrustCenter CA Certificates https://bugzilla.mozilla.org/show_bug.cgi?id=392024 https://bugzilla.mozilla.org/show_bug.cgi?id=486759

Dhimyotis services include Certigna ID and Certigna SSL. Certigna is a French CA for the European market and expects to expand to serve other countries (India, USA, South America ... ) soon.

LSTI - La Sécurité des Technologies de l'Information Statement of Compliance with ETSI TS 102.042 LSTI - La Sécurité des Technologies de l'Information 2008 Statement of Compliance with ETSI TS 102.042

The Certigna root has three internally operated subordinated CA’s: Certigna SSL is for SSL-enabled servers, Certigna ID is for authentication and digitally-signed email, and Certigna Chiffrement is for encrypting email.

CRL for the SSL Subordinate CA CRL for the ID Subordinate CA IV/OV Public Portion of CPS Translated Portion of CPS Translated Portion of Code Signing CPS Certificate Policy for SSL Subordinate CA Certificate Policy for ID Subordinate CA http://bugzilla.mozilla.org/show_bug.cgi?id=393166 https://bugzilla.mozilla.org/show_bug.cgi?id=483889

SECOM Trust Services Co., Ltd are a commercial CA based in Japan.

PricewaterhouseCoopers Aarata Report of Independent Certified Public Accountant KPMG Audit Report and Management's Assertion

This request is to add a newly constructed EV root to the NSS database. Note that there is currently a non-EV CA called Security Communication RootCA1 in the NSS database.

CRL EV (policy OID 1.2.392.200091.100.721.1) Security Communication EV RootCA1 Certification Practice Statement, Version 1.00 (Japanese) Security Communication EV RootCA1 Subordinate CA Certificate Policy, Version 1.00 (Japanese) https://bugzilla.mozilla.org/show_bug.cgi?id=394419 https://bugzilla.mozilla.org/show_bug.cgi?id=477134 https://bugzilla.mozilla.org/show_bug.cgi?id=477145

Sociedad Cameral de Certificación Digital - Certicámara S.A. is a commercial CA primarily serving Colombia and Andean Region

Deloitte and Touche Audit Report and Management's Assertions

This is a new root CA certificate authorized by Industry and Commerce Department of Colombia, to replace the Certificado Empresarial Clase-A certificate. It has one internally operated subordinate CA.

CRL OV Certificate Hierarchy Certification Practices Statement (CPS) – in Spanish Declaration of Practices http://bugzilla.mozilla.org/show_bug.cgi?id=401262 http://bugzilla.mozilla.org/show_bug.cgi?id=486424

ComSign is a private company owned by Comda, Ltd., a company specializing in information protection products and solutions. In 2003, ComSign was appointed by the Justice Ministry as a certificate authority in Israel in accordance with the Electronic Signature Law 5761-2001, and is currently the only entity issuing legal authorized electronic signatures according to the Israel law. ComSign has issued electronic signatures to thousands of business people in Israel.

The State of Israel – Ministry of Justice Registered CA Sharony-Shefler Audit Statement 2009

This root has six internally-operated subordinate CAs that are used for issuing digital IDs to individuals and corporations in accordance with the Israeli Electronic Signature Law.

CRL IV, OV Cert Hierarchy Diagram Links to CPSs in Hebrew and English CPS in English https://bugzilla.mozilla.org/show_bug.cgi?id=420705 https://bugzilla.mozilla.org/show_bug.cgi?id=490487

This root has two internally-operated subordinate CAs that are used for issuing certificates for SSL and for code-signing.

CRL OV Cert Hierarchy Diagram Links to CPSs in Hebrew and English CPS in English Security Certificate Approval Regulations For SSL Websites in English https://bugzilla.mozilla.org/show_bug.cgi?id=420705 https://bugzilla.mozilla.org/show_bug.cgi?id=490487

Wells Fargo is a public CA based in San Francisco, California, and serving customers worldwide. This EV CA was created for the purpose of creating an online/intermediate EV SSL issuing authority which will be managed internally, and follow the WellsSecure CPS.

KPMG Audit Report and Management's Assertions KPMG Audit Report and Management's Assertions

Root CA with one internal subordinate CA issuing EV SSL certificates.

CRL http://validator.wellsfargo.com/ EV (policy OID 2.16.840.1.114171.500.9) WellsSecure PKI Certificate Policy http://bugzilla.mozilla.org/show_bug.cgi?id=428390 https://bugzilla.mozilla.org/show_bug.cgi?id=449393 https://bugzilla.mozilla.org/show_bug.cgi?id=449394

Verizon Business Security Solutions Powered by Cybertrust operates a commercial certificate authority service for businesses and governments internationally.

Ernst and Young Audit Report and Management's Assertions Ernst and Young Audit Report and Management's Assertions

This root was created to provide a service to customers desiring a root based outside the United States. Relying on the GTE CyberTrust Global Root for ubiquity through cross-certification, this root is used for issuance of EV SSL certificates. There is currently only one internally-operated subordinate CA called Cybertrust SureServer EV CA. The CPS allows for this root to have other subordinate CAs in the future. The sub-CAs are required to follow the CPS and to have regular audits.

CRL EV (policy OID 1.3.6.1.4.1.6334.1.100.1) Cybertrust CA Certificate Policy Certification Practice Statement http://bugzilla.mozilla.org/show_bug.cgi?id=430700 https://bugzilla.mozilla.org/show_bug.cgi?id=493258 https://bugzilla.mozilla.org/show_bug.cgi?id=493259