136
edits
Changes
→January 2018 CA Communication: Added options for email-only roots
* We have never used these methods and our CP/CPS states that we do not use these methods of domain validation.
* We have disclosed our use of these methods of domain validation on the mozilla.dev.security.policy forum and have either stopped using them or implemented and disclosed a mitigation for the vulnerabilities that have been discovered.
* None of our root(s) are enabled for websites (SSL) in Mozilla products.
* Other (please describe below)
<br />
* We have active (not expired or revoked) certificates issued using these methods. We have reviewed our implementation for vulnerabilities and have reported our findings below.
* We have active (not expired or revoked) certificates issued using these methods. We will review our implementation for vulnerabilities and report our findings on the mozilla.dev.security.policy list by the date specified in the comments section below.
* None of our root(s) are enabled for websites (SSL) in Mozilla products.
<br />
On 17-March 2017, in ballot 193, the CA/Browser Forum set a deadline of 1-March 2018 after which newly-issued SSL certificates must not have a validity period greater than 825 days, and the re-use of validation information must be limited to 825 days. As with all other baseline requirements, Mozilla expects all CAs in the program to comply.
<br /><br />
* We never have, or will no longer issue SSL certificates with a validity period greater than 825 days after 1-March 2018* None of our root(s) are enabled for websites (SSL) in Mozilla products
<br /><br />
ACTION 6 COMMENTS
