136
edits
Changes
m
Certificate --> Certification Authority
Dear Certification Authority,
<br /><br />
Because 2018 has already generated some important news for Certificate Certification Authorities, we are sending this message to ensure that every CA in the Mozilla program is aware of the following current events and impending deadlines:
<br /><br />
1. On 9-January, the CA “Let’s Encrypt” disclosed a vulnerability in the ACME domain validation method known as TLS-SNI-01, which is an implementation of the more general method described in BR 3.2.2.4.10. [1] A subsequent vulnerability was disclosed on 11-January affecting the validation method described in BR 3.2.2.4.9. [2] Mozilla expects all CAs to be monitoring discussion in the mozilla.dev.security.policy forum and for any CA that employs either of these methods to disclose that fact on the list. From now on, Mozilla expects that CAs will not use these methods unless they have implemented and disclosed a mitigation for the vulnerabilities that have been discovered.
