Changes

CAs must supply the complete Certification Certificate Policy (CP) and Certification Practice Statement (CPS) containing sufficient information to determine whether and how the CA complies with the Mozilla policy requirements.

* The CA As part of the inclusion process and the Baseline Requirements self-assessment, CAs must provide references to the CP/CPS sections (e.g., by section number and/or page number) that address the requirements of the Mozilla policyand the Baseline Requirements.

"issuewild" records as permitting it to issue."

CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements, with the effective of 31 May 2018. Further, CP/CPS documents should include every component and subcomponent, and the placement of information should be aligned with the BRs; e.g. domain validation practices should be documented in section 3.2.2.4 of the CA’s CP/CPS.

** Note that the Mozilla's root store policy has been updated to define defines acceptable usage of "No Stipulation" in CP/CPS documents.

* Sections should must not be left blank. The purpose of "No Stipulation" is to make it clear that the omission of content was intentional.** Note that Mozilla's root store policy may be updated soon to forbid blank sections in CP/CPS documents.

* If a section in your CP/CPS only applies to a certain type of certificate, then your CP/CPS needs to state that. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#52-forbidden-and-required-practices Mozilla's Root Store Policy] says: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage." So if your CP/CPS allows for generation and escrow of private keys for personal certificates, then your CP/CPS should clearly indicate that those sections do not apply to SSL TLS server certificates.

* If your CA does not issue SSL certs TLS server certificates containing IP addresses, then section 3.2.2.5, ‘Authentication for an IP Address’ in your CP or CPS should say that such certificate issuance is not allowed; , e.g. “No IP address certificates are issued under this CPS.”* If your CP contains the full description descriptions of physical security required by section 5of RFC 3647, then the CPS may say "As stipulated in section 5 of the CP". (This assumes that the CP is also published on your website, and the CP and CPS documents clearly indicate which root certificates they govern.)

It is '''not''' sufficient to simply reference section 3.2.2.4 of the [https://cabforum.org/baseline-requirements-documents/ CA/Brower Forum's Baseline Requirements (BR)]. The BRs list several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing section 3.2.2.4 of the BRs does not specify which of those options the CA uses, and is insufficient for describing how the CA conforms to the BRs. Section 2.3 of the BRs says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes '''in detail''' how the CA implements the latest version of these Requirements. The CA SHALL indicate conformance with this requirement by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the document."

* The following validation methods are prohibited: BR subsections 3.2.2.4.1 and , BR 3.2.2.4.3, BR 3.2.2.4.5 were banned effective 1-August-2018.** "CAs must stop using domain validation methods , BR 3.2.2.4.1 and 6, BR 3.2.2.4.59, stop reusing validation data from those methods"* BR subsection 3.2.2.4.9 was banned by ballot SC1511, effective 16-March 2019and BR 3.2.2.5.4.

ownership/control of the domain name for SSL TLS certificate applications. WHOIS information may be subject to compromise. CAs are responsible for implementing appropriate methods to reduce the risk of compromise. For example, direct command line, HTTPS to the original registrar, or correlating multiple sources. The CA should include information in their its CP/CPS about the method that they use it uses to validate the integrity of the data.

It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high -level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond?

Many CAs use an email challenge-response mechanism to verify that the SSL TLS certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs|Mozilla's restrictions on the set of verification addresses that may be used.]]

CAs using this method of domain validation must ensure that they are using the full email, and that none of their systems misinterpret the localpart of an email. If your system fails to process the exact email, it will misinterpret the '+' sign as a delimiter. Consider, for example, the WHOIS contact information for a domain of "user+word@example.com" or "user=word@example.com". Both of these email addresses conform to the rules set out in RFC 822 with respect to the 'localpart' syntax. If your system emails to "word@example.com", rather than to the full "user+word@example.com" / "user=word@example.com", it will allow an attacker (who obtains "word@example.com") to cause and obtain certificates for example.com. Please work with your engineering department to ensure that your systems properly handle such cases, as well as handling productions variations, such as quoted-string, as also detailed in RFC 822 and subsequent RFCs. This is especially important as EAI addresses (described in RFC 6530 and related) come into play.

# The OCSP URI must be provided in the certificate, except when OCSP stapling is usedend entity certificates. (sections BR section 7.1.2.2, 7.13.2c.3)# OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (BR section 4.9.10)# OCSP Responses shall be updated at least every four days and have a maximum expiration time of ten days (additional OCSP requirements may be found in BR section 4.9.10)# CAs MUST NOT issue OCSP responder certificates using SHA-1 (BR section 7.1.3.2.1)# OCSP responses MUST conform to RFC6960 and/or RFC5019. (BR section 4.9.9)

* Go to Firefox -> PreferencesOptions... -> Privacy & Security -> Certificates

* Browse to a website whose SSL TLS certificate chains up to your root and has the corresponding OCSP URI in the AIA extension.

* Maintain network security controls that at minimum meet the [https://www.cabforum.org/documents.html Network and Certificate System Security Requirements.]

A hierarchical structure of a single root with intermediate certs certificates (subrootssubordinate CAs) is preferred. The single top-level root's public certificate is supplied for Mozilla's root list; subordinate CA certificates (including other self-signed root CA certificates that chain to the trusted root) must be reported in the subroots are notCCADB.

Root certificates in Mozilla's program can have either the SSL Websites trust bit set, or the Email trust bit, or both. If only one of those bits is set, relying software will trust certificates in that hierarchy for only that purpose. Nevertheless, it is a best practice for the immediately-issuing intermediate certificate to also contain EKU constraints of either id-kp-serverAuth or id-kp-emailProtection as appropriate, such that if the trust status of the root ever changes (or is not enforced for some reason), the end-entity certificates are still appropriately constrained.