May 2015 CA Communication

Question: ACTION #3: After January 1, 2016, we plan to show the "Untrusted Connection" error whenever a SHA-1 certificate issued after that date is encountered in Firefox. And after January 1, 2017, we plan to show the “Untrusted Connection” error whenever any SHA-1 certificate is encountered in Firefox. Please review our guidance about SHA-1 certificates in our security blog, and respond with one of the following.

Owner/Response A) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017. B) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. In the past, we did issue SHA-1 SSL certificates that were valid beyond January 1, 2017, but they have all now been revoked. C) We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below]. D) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by [provide date below]. We have issued [number of - provide below] SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [provide date below]. ACTION #3 Text Input
Grand Total 20 2 10 36
A-Trust We will stop issuing SHA-1 SSL certificates once the new root certificate (that is needed for SHA-2) is included in Firefox. We will update all our clients certificates to SHA-2 and will revoke all SHA-1 certificates at the end of the year.
Actalis We are no longer issuing SHA-1 SSL certificates with a notAfter date beyond January 1, 2017. In the past, we did issue some SHA-1 SSL certificates that were valid beyond January 1, 2017, but they have all now been revoked.
Amazon Amazon has never issued SHA-1 SSL certificates. We do not currently have plans to do so, but may do so up until December 31, 2015. We are aware of the Mozilla changes, including the "Untrusted Connection" message.
AS Sertifitseerimiskeskuse (SK)
Asseco Data Systems S.A. (previously Unizeto Certum) Plan to stop issuing SHA-1 SSL certificates by December 31, 2015. Have issued 1116 SHA-1 SSL certificates that are valid beyond January 1, 2017. Plan to revoke them by December 31, 2016.
Atos
Autoridad de Certificacion Firmaprofesional We have issued 27 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 2015.
Buypass We issue SHA256 SSL certificates as default, but are able to issue SHA-1SSL certificates for customers on demand. Such SSL certificates shall not be valid beyond January 1, 2017. We plan to stop issuance of SHA-1 SSL certificates by January 1, 2016. We have issued 4 SSL certificates with validity beyond January 1, 2017 and these will be revoked by January 1, 2016.
CA Disig a.s.
Camerfirma We plan to stop issuing SHA1 SSL in December 2015. We have issued about 200 certificates beyond 2017 We plan to revoke all SSL SHA1 certificates by December 2016.
Certicámara S.A. There is no action required, because we don't issue SSL/TLS certificates that chain up to our root certificates in Mozilla's program.
Certinomis We are no longer issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program. We have issued a few number of SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by January 1, 2017.
certSIGN
China Financial Certification Authority (CFCA)
China Internet Network Information Center (CNNIC) We have 2 Root which in Mozilla program, CNNIC ROOT and CNNIC EV ROOT. 3 intermediate cert chain to CNNIC ROOT, CNNIC SSL, CNNIC DQ SSL and CNNIC SHA256 SSL. CNNIC SSL stopped issuing cert as the CNNIC SHA256 SSL issue SHA256 cert from Jan 28, 2015. 1 intermediate cert (CNNIC EV SSL) chain to CNNIC EV ROOT is still issuing SHA1 cert. We plan to upgrade EV SSL and DQ SSL to issue SHA256 cert this year.
Chunghwa Telecom Corporation We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31,2015. We have issued 311 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 31,2015.
Comodo We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by January 1, 2016. We have issued 169245 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked and that we have no firm plans to revoke.
ComSign 1 certificate. will be revoked by Dec 2016.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) D) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 31/12/2015. We have issued 825 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by 31/12/2017.
Cybertrust Japan / JCSI
D-TRUST
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) We do not issue any SSL-certificates.
Dhimyotis / Certigna
DigiCert January 1, 2017 565 January 1, 2017
DocuSign (OpenTrust/Keynectis) We plan to stop issuing SHA-1 SSL certificates by end of December 2015. We do not have yet a planned date to revoke them. On the 11th of May, we have issued 506 SHA-1 SSL certificates still valid after the 1st of January 2017.
e-tugra
EDICOM
Entrust Will stop issuing SHA-1 certificates before 1 January 2016. We currently have 17196 SHA-1 certificates expiring after 2016. We do not plan to revoke any SHA-1 certificates.
GlobalSign (It is actually none of the above but the survey will not save unless one of the choices is made - i.e. We do not yet plan on the revocation step so choice (D) is the closest) We have 36,335 SHA1 certificates that expire after Jan 1 2017 but as revocation is not mandatory and one customer has 25% of the volume of those certificates for use in a non browser environment for client/server communication. Please note that these totals do not include certificates issued by customers in the Trusted Root Program through Name Constrained CA's which have been signed by GlobalSign. This will take longer to gather however we estimate numbers to be much smaller as the majority of customers have been transitioned to SHA256 chains and end entity certificates.
GoDaddy We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by Jan 1, 2016. We have issued 160,000 SHA-1 SSL certificates that are valid beyond January 1, 2017 and are currently not revoked. We presently have no plans to revoke these certificates.
Government of France (ANSSI, DCSSI) 31/12/2015; 1 109; 31/12/2016
Government of Hong Kong (SAR), Hongkong Post, Certizen We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 31 Dec 2015. We have issued less than 50 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by 31 Dec 2016. Besides, SHA-1 SSL certificates with 1-year validity period will only be issued upon written request now until 31 Dec 2015. And we have been issuing SHA-256 SSL certificates by default starting from 1 January 2015.
Government of Japan, Ministry of Internal Affairs and Communications
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)
Government of Taiwan, Government Root Certification Authority (GRCA) we are now issued 486 SHA-1 SSL certificates that are valid beyond January 1, 2017. We plan to stop issuing SHA-1 SSL certificates before 2015/12/31, and plan to revoke all these SHA-1 SSL certificates before 2016/12/31.
Government of The Netherlands, PKIoverheid (Logius)
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) We informed our customers about this change and we started revoking and renewing their certs. There are 76 SSL certificates left that we didn't revoke yet. Our plan is to finish all of it by December 2015.
HARICA We have issued 24 SHA1 SSL certificates that are valid beyond January 1, 2017. We have already contacted the owners to replace them with new SHA256 and plan to revoke them by 31/8/2016.
IdenTrust IdenTrust stopped selling SHA-1 certificates to the public in December 2014. We continue working with existing customers helping them replace active SHA-1 certificates for SHA-256 versions. On a very limited basis, and only to support legacy platforms, IdenTrust may provide existing customers a SHA1 certificate which will expire no later than December 31, 2016. IdenTrust has issued 182 certificates that are valid beyond January 1, 2017. IdenTrust will have all certificates replaced and revoked by December 31, 2016
Izenpe S.A.
Microsec e-Szignó CA We have issued <2> SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by <December 31, 2016>
NetLock Ltd.
Nets DanID
PROCERT
QuoVadis We plan to stop issuing SHA-1 SSL by January 1, 2016. We have 986 SHA-1 SSL certificates that are valid beyond January 1, 2017. We presently have no plans to revoke these certificates (as the majority expire in January 2017).
RSA the Security Division of EMC The "RSA Security 2048 V3" does not issue SSL certificates. The intermediate RSA/EMC CA do have SHA-1 SSL certificates issused but are inthe process rectifying the situation. None of the issued SHA-1 SSL certificates are valid beyond January, 2017. More to come on this Action.
SECOM Trust Systems Co. Ltd. stop issuing by 12/31/2015. revoked by 12/31/2016.
SG Trust Services
Start Commercial (StartCom) Ltd. We will provide the option for SHA1 hashed certificates in particular for devices that can't handle SHA2 (being it client or server side). It's fully understood that such certificates might not work with common browsers and software in the future, but keep it currently as a backward option. Overall certificates are currently issued already with SHA2 hashes by default.
Swisscom (Switzerland) Ltd We have issued 603 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by no later than 31.12.2016.
SwissSign AG
Symantec / GeoTrust We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Symantec / TC TrustCenter We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Symantec / Thawte We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
Symantec / VeriSign We plan to stop issuing Sha-1 SSL certs starting Jan 1, 2016. Per CABF rules, we are not actively revoking Sha-1 certs mandatorily; we are highly encouraging customers to replace their long-living Sha-1 certs with Sha-2 certs. There are exceptions where there are non-web uses of our SSL certs where the customer may choose to not replace their Sha-1 cert with a Sha-2 cert.
T-Systems International GmbH (Deutsche Telekom) We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2015. We have issued 32262 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked. We do not plan to revoke any SHA-1 Certificates.
Taiwan-CA Inc. (TWCA) For our root certificates directly included in Mozilla's program: A) We are no longer issuing SHA-1 SSL certificates that chain up to our root certificates in Mozilla's program. We never issued SHA-1 SSL certificates that were valid beyond January 1, 2017. However, SHA-1 SSL certificates were issued by our old SHA1 SSL CA that chains up to Comodo's "AddTrust External CA Root". Some of them expire after January 1, 2017. We plan to revoke those SHA-1 SSL certificates in 2017.
Telia Company (formerly TeliaSonera) We plan to completely stop issuing SHA1 SSL certificates Dec 31, 2016. We have issued multiple SHA1 certificates that are valid beyond January 1, 2017 that we have not yet revoked. We plan to revoke them before Dec 31, 2016. Exact count is under investigation.
Trend Micro We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2016. We have issued zero (0) SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by [Not Applicable - no SHA-1 certs issued beyond 1-1-2017]. Note: we provide a warning to all customers today that SHA-1 certs have been deprecated, and recommend SHA-256 certs instead.
Trustis we have answered d) as no single entry fits our situation. We have emailed Kathleen Wilson with details. We currently have 143 certificates that extend beyond 1 Jan 2017. We plan to revoke these by 31 Dec 2016 but see email to Kathleen referenced above.
Trustwave On 10/29/14 Trustwave stopped issuing SHA-1 certificates to be used in public browser environments that would expire after 1/1/2017. Before that policy, 3757 certificates were issued that expire after 1/1/2017. We have also issued 6049 SHA-1 certificates for non-browser environments that expire after 1/1/2017. We will stop issuing any SHA-1 certificates that chain up to roots in Mozilla’s program on or before 12/31/2015 and are considering plans to revoke those that have not expired after 1/1/2017.
TurkTrust We have issued <200> SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by <December 31 2016>.
Verizon Business We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by December 31, 2015. We have issued 32,221 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by December 31, 2016. We continue to receive support requests from customers migrated to SHA256 products indicating that they need a SHA-1 alternative. As a global provider with a focus on very large enterprise, our customer profile uses servers and user agents that are outside the apache-Firefox world. Several of our customers have either built or contracted to build their own servers and clients. Some are subject to firmware-based embedment and lack of an OTA/OTW update process. Many vendors outside the B of CABF do not follow the industry change led by Mozilla and its peers. In these situations, we attempt to exert our influence to gain progress toward SHA-2 support, but we face long roadmaps and QA regression testing responses. Ultimately, we need to enable the most secure option available for a deeply entrenched solution. Operating that service with a publicly trusted certificate vetted by an audited team where the service happens to rely on SHA-1 for a bit longer is that option for the near future. We have clearly and extensively documented the SHA-2 migration to all our customers, relying not only on Mozilla's influence but Google's as well. When we are asked to support SHA-1, we ask for the details of the situation and we attempt to contact vendors involved to determine when SHA-2 will reach their products. In some cases, our customers will operate a down-version product for months or years due to it suiting their needs and due to the cost of upgrading across a massive footprint.
Visa We plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by 01/14/2016. We are still evaluating the impact/number of the certificates that are valid beyond January 1, 2017. We will have them revoked by 12/31/2016.
Web.com We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by January 1, 2016. We have issued 23833 SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked and that we have no firm plans to revoke.
Wells Fargo Bank N.A. We plan to cease issuance of SHA-1 certificates by 12-31-2015 so that there will be no SHA-1 certificates with a validity period ending beyond January 1, 2017.
WISeKey We currently plan to stop issuing SHA-1 SSL certificates that chain up to our roots in Mozilla's program by end of September 2015, depending on the acceptance of our new Root. We have issued a number SHA-1 SSL certificates that are valid beyond January 1, 2017, that we have not yet revoked, and we plan to have them revoked by as soon as our new Root is embedded and we are able to convert customers to SHA-2.
WoSign CA Limited we issued about 187 SHA1 certs that exceed Jan 1, 2017, 8 cert is OV SSL, and 179 certs is free DV SSL certificate. And we are trying to contact subscriber to replace it ASAP, the revoke deadline is June 30, 2015. We stopped to issue this kind of SHA1 cert from Feb. 12, 2015.
Grand Total 20 2 10 36