Confirmed users
574
edits
CA/Responding To An Incident: Difference between revisions
Jump to navigation
Jump to search
CA/Responding To An Incident (view source)
Revision as of 22:05, 24 February 2025
, 24 February 2025→Mozilla’s Expectations on Revocation: Changes consistent with MRSP v.3.0
(→Reporting Delayed Revocation Incidents: Changes consistent with MRSP and CCADB IRGs) |
(→Mozilla’s Expectations on Revocation: Changes consistent with MRSP v.3.0) |
||
| Line 32: | Line 32: | ||
== Mozilla’s Expectations on Revocation == | == Mozilla’s Expectations on Revocation == | ||
CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in [https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation section 4.9.1] of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs) | CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in [https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation section 4.9.1] of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs). | ||
Mozilla does not grant exceptions to the revocation requirements of the TLS BRs. | |||
Furthermore, to ensure compliance with the TLS BRs, beginning September 1, 2025, Mozilla requires that CA operators: | |||
* engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation; | * engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation; | ||
* include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards; | * include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards; and | ||
* prepare and maintain credible plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing | * prepare and maintain credible plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing. | ||
Beginning with the CA operator’s next annual audit cycle starting on or after June 1, 2025, each CA operator MUST engage a third-party assessor to evaluate whether the CA operator has: | |||
* engage a third party assessor to evaluate whether the CA Operator has: | * engage a third party assessor to evaluate whether the CA Operator has: | ||
** credible plans to handle mass revocation events; | ** credible plans to handle mass revocation events; | ||
** tested the operational effectiveness of the plans, including the accuracy and adequacy of documentation of plan testing, including timelines, results, and remediation steps; and | ** tested the operational effectiveness of the plans, including the accuracy and adequacy of documentation of plan testing, including timelines, results, and remediation steps; and | ||
** incorporated feedback from such exercises to improve future readiness. | ** incorporated feedback from such exercises to improve future readiness. | ||
The above-referenced June 1, 2025, date is to ensure that compliance with the September 1, 2025, requirements will be evaluated within a reasonable timeframe while allowing CA operators to incorporate mass revocation testing into their CA processes and annual audit cycles. However, the assessment does not have to be conducted as part of the CA operator’s ETSI or WebTrust audit unless the CA operator finds it more convenient to include it within that scope. The assessment may be conducted separately by a qualified third-party assessor, provided it meets the stated evaluation criteria. | |||
== Reporting Delayed Revocation Incidents == | == Reporting Delayed Revocation Incidents == | ||