CA/Root Store Policy Archive: Difference between revisions

Jump to navigation Jump to search

CA/Root Store Policy Archive (view source)

Revision as of 23:03, 2 June 2022

101 bytes added ,  2 June 2022
Edited 2.8 discussion of Dec 2022 deadline for providing online all versions of CPs and CPSes
(→‎2.8: Added deadline of Dec. 31 2022 for uploading of CPs/CPSes)
(Edited 2.8 discussion of Dec 2022 deadline for providing online all versions of CPs and CPSes)
Line 14: Line 14:
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options.
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options.
** December 31, 2022: CA operators will need to have uploaded all older, available versions of their CPs and CPSes if more time is needed to conform to other requirements such as the Web Content Accessibility Guidelines (WCAG).
** December 31, 2022: CA operators will need to have uploaded all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store.
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.


Bwilson
Confirmed users
578

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1242792"

Navigation menu