CA/Forbidden or Problematic Practices
This page contains comments about various CA practices that have been the subject of discussion in past CA evaluations. Some of these practices are addressed by the Mozilla's Root Store Policy and are forbidden. They are listed here because they are things CAs often get wrong. Others, we do not necessarily consider security risks, but we want to highlight them because they've occasioned controversy in the past and have in some cases caused approval of applications to be delayed. Additional practices may be addressed in future versions of the policy.
- 1 Forbidden Practices
- 1.1 Long-lived Certificates
- 1.2 Non-Standard Email Address Prefixes for Domain Ownership Validation
- 1.3 Issuing End Entity Certificates Directly From Roots
- 1.4 Distributing Generated Private Keys in PKCS#12 Files
- 1.5 Certificates Referencing Local Names or Private IP Addresses
- 1.6 Issuing SSL Certificates for .int Domains
- 1.7 OCSP Responses Signed by a Certificate Under a Different Root
- 1.8 Issuance of SHA-1 Certificates
- 1.9 Delegation of Domain / Email Validation to Third Parties
- 2 Potentially Problematic Practices
Section 6.3.2 of the CA/Browser Forum's Baseline Requirements states: "Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days. Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months."
Non-Standard Email Address Prefixes for Domain Ownership Validation
Mozilla's Root Store Policy requires CAs to conform to the CA/Browser Forum Baseline Requirements (BRs) in the issuance and management of publicly trusted SSL certificates. This includes the BR restrictions on the use of email as a way of validating that the certificate subscriber owns or controls the domain name to be included in the certificate. CAs are expected to conform to BR Section 18.104.22.168, which restricts the email addresses that may be used to authenticate the subscriber to information listed in the "registrant", "technical", or "administrative" WHOIS records and a selected whitelist of local addresses, which are limited to local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster".
A CA that authorizes certificate subscribers by contacting any other email addresses is deemed to be non-compliant with Mozilla's Root Store Policy and non-conforming to the Baseline Requirements, and may have action taken against it. CAs are also reminded that Mozilla's Root Store Policy and the Baseline Requirements extend to any certificates that are technically capable of issuing SSL certificates, and subordinate CAs that fail to follow these requirements reflect upon the issuing CA that certified it.
Issuing End Entity Certificates Directly From Roots
This is forbidden by the Baseline Requirements.
Distributing Generated Private Keys in PKCS#12 Files
Section 5.2 of Mozilla's Root Store Policy states: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage."
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for S/MIME certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then:
- The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal)
- The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
Certificates Referencing Local Names or Private IP Addresses
This is forbidden by Section 22.214.171.124.1 of the Baseline Requirements, which says:
- As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name.
Issuing SSL Certificates for .int Domains
It has come to our attention that some Certification Authorities may have mistakenly issued SSL certificates to non-existent .int domain names. This appears to have happened because the .int domain may have been confused with internal domain names, and not all of the CAs and RAs may be aware that .int is an ICANN approved TLD. In any case, CAs should be no longer issuing certificates for Internal Names.
OCSP Responses Signed by a Certificate Under a Different Root
CAs who issue certificates with OCSP URLs in AIA extensions should make sure that the OCSP responses conform to RFC 2560, and work correctly for Mozilla users without requiring the user to find and install the OCSP responder's certificate, that is, the certificate with which the OCSP response signatures are verified.
RFC 2560, sections 2.2, 2.6, 3.2 and 126.96.36.199 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.
When an OCSP responder URL is included in end-entity certificates, Firefox will by default attempt to check the certificate's status via OCSP. If the OCSP signer certificate is not the certificate of the CA that issued the certificate in question and is not issued by the CA that issued the certificate in question, the OCSP check will fail with an NSS error code for OCSP, such as SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST or SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE.
For a detailed explanation about why an OCSP responder should not use a self-signed OCSP responder certificate and depend on Trusted Responder Mode within the Firefox browser, see: Details about OCSP Trusted Responder Mode.
Please test your OCSP responder within the Firefox browser by enforcing OCSP as per our CA Recommended Practices for OCSP.
Issuance of SHA-1 Certificates
This is forbidden by the Baseline Requirements.
SHA-1 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for SHA-1 based signatures. The SHA-1 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling SHA-1 will impact intermediate and end entity certificates, where the signatures are validated.
There are still many end entity certificates that would be impacted if support for SHA-1 based signatures was turned off. Therefore, we are hoping to give CAs time to react, and are planning to turn off support for SHA-1 based signatures in 2017. Note that Mozilla will take this action earlier if needed to keep our users safe.
- CAs should not be issuing new SHA-1 certificates, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates.
- If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before 2017.
- If you aren't sure whether or not your site is using SHA-1, please see https://shaaaaaaaaaaaaa.com/.
- Security Blog Post Regarding SHA-1 Based Signature Algorithms
Delegation of Domain / Email Validation to Third Parties
This is forbidden by the Baseline Requirements, section 1.3.2.
Domain and Email validation are core requirements of the Mozilla's Root Store Policy and should always be incorporated into the issuing CA's procedures. Delegating this function to 3rd parties is not permitted.
Potentially Problematic Practices
Allowing External Entities to Operate Subordinate CAs
Some CAs authorize external entities to operate their own CAs as subordinate CAs under the original CA's root. In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. If Mozilla accepts and includes a CA's root certificate, then we have to assume that we also accept any of their future sub-CAs and their sub-CAs. Therefore, the selection criteria for a CA's sub-CAs and their sub-CAs will be a critical decision factor, as well as the documentation and auditing-of-operations requirements that the CA places on such relationships.
In order to best ensure the safety and security of Mozilla users, Mozilla has a single consistent policy that describes the expectations for all CAs that will be trusted within its program. Mozilla requires that all participating root CAs fully disclose their hierarchy, including CP, CPS, and audits, when said hierarchy is capable of SSL or email issuance.
More information on our disclosure requirements is available.
During the root inclusion/change process, CAs must provide a clear description of the subordinate CAs that are operated by external third parties, and an explanation as to how the CP/CPS and audits ensure the third parties are in compliance with Mozilla's CA Certificate Policy requirements as per the Subordinate CA Checklist.
After inclusion, CAs must disclose their subordinate CAs in the Common CA Database, and maintain annual updates to the corresponding CP/CPS documents and audit statements.
Generic Names for CAs
In various contexts Firefox and other Mozilla-based products display to users the names of root CAs, issuing CAs, and intermediate CAs in general. In some cases CA names are very generic, e.g., "Secure Server CA"; this makes it difficult for users to ascertain who operates the CA without undertaking a detailed investigation.
Our recommendation is that all CA names incorporate an organizational name or product brand name sufficiently unique to allow relatively straightforward identification of the CA.
Additionally, the issuer and subject information in the root certificate should provide clear indication about who owns or operates the certificate. Generic issuer and subject information inhibits the users' ability to establish a chain of trust, and to pursue complaints when appropriate. For instance, the following issuer information would not be acceptable in a root certificate to be included in NSS.
- CN = Root CA
- OU = Certification Authorities
- OU = Services
- O = admin
There is no information in this issuer that can be linked back to any particular CA. There is no distinguishable company name or brand name. All of the information in this issuer is too generic to do a search on and hope to find the CA.
Important: Both the O and the CN must be meaningful, and not generic terms such as "admin" or "root". It is not acceptable to have the O be a generic term such as "Admin" because it could mislead users that rely on the issuer details, such as when you hover your mouse over the domain or organization section in the address bar.
Lack of Communication With End Users
CAs should be contactable by, and accept and act upon complaints made by, those relying on their assertions of identity. For CAs included in Mozilla, this will include being responsive to members of the general public, including people who have not purchased products from that CA.
Backdating the notBefore Date
Certificates do not contain an issue timestamp, so it is not possible to be certain when they were issued. The notBefore date is the start of the certificate's validity range, and is set by the CA. It should be a reasonable reflection of the date on which the certificate was issued. Minor tweaking for technical compatibility reasons is accepted, but backdating certificates in order to avoid some deadline or code-enforced restriction is not.
Issuer Encoding in CRL
The encoding of the Issuer field in the CRL should be byte-for-byte equivalent with the encoding of the Issuer in the certificate; that is, using the exact same string types and field contents. The specs (RFC 2459, RFC 3280, RFC 5280) permit them to mismatch, but that causes compatibility issues with various clients -- in such cases client software might not find the entry for the revoked certificate in the CRL.