About Mozilla's CA Certificate Policy Version 2.2
Purpose of this update
There are two primary drivers of this particular update to Mozilla's CA Certificate Policy:
- Make sure CAs are prepared to monitor and handle the introduction of new gTLDs by ICANN. This will be accomplished by requiring compliance with version 1.1.5 of the CA/Browser Forum's Baseline Requirements. Further details may be found in the mozilla.dev.security.policy discussion forum.
- Update the Enforcement section to emphasize that knowing or intentional mis-issuance of a certificate will have serious ramifications.
Time Frames for included CAs to comply with version 2.2 of the policy
Version 2.2 of Mozilla's CA Certificate Policy was published on July 26, 2013.
Certificates issued before July 26, 2013, must at least meet the requirements of Version 2.0 of Mozilla's CA Certificate Policy and be transitioning to compliance with Version 2.1 of Mozilla's CA Certificate Policy.
CAs have the transition time frames described below to become compliant with the policies that were updated in Version 2.2 of Mozilla's CA Certificate Policy.
Version 1.1.5 of the Baseline Requirements
Item #12 of Mozilla's CA Certificate Inclusion Policy has been updated to require compliance with version 1.1.5 of the CA/Browser Forum's Baseline Requirements. (previously version 1.1 was required)
Important: Version 1.1.5 of the Baseline Requirements includes BR #11.1.4 to address security concerns that are introduced as applied-for new gTLD strings are granted. As soon as applied-for new gTLDs are approved, they must be treated as if they are delegated TLDs, and can no longer be used in internal name certificates. Details may be found in the mozilla.dev.security.policy forum.
ICANN has implemented a notification service to aid CAs in discovering contracting milestones for applied-for-gTLD strings.
The significant changes between version 1.1 and version 1.1.5 of the CA/Browser Forum's Baseline Requirements are the addition of the following sections and BRs.
- Document History
- Table of Relevant Compliance Dates
- BR 10.2.5, Subordinate CA Private Keys
- BR 11.1.3, Wildcard Domain Validation
- BR 11.1.4, New gTLD Domains
- BR 13.1.6, Reasons for Revoking a Subordinate CA Certificate
- BR 13.2.7, Certificate Suspension
- Appendix A, (4) General requirements for public keys
- Appendix B, (4) All Certificates
- Added DSA Key information to Appendix A
- Revised subject domainComponent language in BR #9.2.3
- Immediate compliance with Baseline Requirement #11.1.4, regarding new gTLD Domains, is of utmost importance.
- Compliance with the other new BRs and changes in version 1.1.5 of the Baseline Requirements should be achieved as soon as possible, and before the beginning of the 2014 annual audit.
- The status of all the new gTLDs is public and can be consulted at https://gtldresult.icann.org/application-result/applicationstatus/viewstatus
Version 2.1 of Mozilla's CA Certificate Policy included updates to Audit Criteria and stated that issuance of certificates to be used for SSL-enabled servers must also conform to version 1.1 of the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The dates that were provided for audits to include the BRs remain as stated, and it is understood that the audit criteria may not have been updated yet to include the changes in version 1.1.5 of the BRs.
Knowing or Intentional Mis-issuance of Certificates
Item #3 was added to the Enforcement section of Mozilla's CA Certificate Policy:
"3. Mozilla will take any steps we deem appropriate to protect our users if we learn that a CA has knowingly or intentionally mis-issued one or more certificates. This may include, but is not limited to disablement (partially or fully) or removal of all of the CA's certificates from Mozilla's products. A certificate that includes domain names that have not been verified according to the CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be mis-issued. A certificate that is intended to be used only as an end entity certificate but includes a keyUsage extension with values keyCertSign and/or cRLSign or a basicConstraints extension with the cA field set to true is considered to be mis-issued."
This policy clarification is immediately applicable to all currently valid certificates and all new certificates.
Clarification about policy and audit documentation
Item #6 of the Maintenance section of Mozilla's CA Certificate Policy was updated to clarify that a CA's root certificates may be disabled or removed if Mozilla does not have record of the CA's current audit and policy documentation.
This policy clarification is immediately applicable to all currently valid certificates and all new certificates. Additionally Mozilla will be updating the publicly viewable spreadsheet of included root certificates to have a column to indicate the date of the most recent audit statement.