Confirm
344
edits
Changes
Added Feb 2023 CA Communication
The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the Mozilla dev-security-policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org.
== February 2023 CA Communication ==
Dear Certification Authority,
Mozilla’s Root Store Policy (MRSP) was recently updated to version 2.8.1 with an effective date of February 15, 2023, https://github.com/mozilla/pkipolicy/pull/265/files. Version 2.8.1 contains several clarifications and minor changes that may affect your organization. You need to be aware of these clarifications and changes to ensure your continued compliance with the MRSP. The following are summaries only of the actual language in the MRSP, and in the event of any conflicting interpretation, the MRSP takes precedence over these summaries:
* You are required to follow and be aware of discussions in both the Mozilla dev-security-policy forum, https://groups.google.com/a/mozilla.org/g/dev-security-policy, and the CCADB Public List, https://groups.google.com/a/ccadb.org/g/public;
* Your CP, CPS, or combined CP/CPS MUST clearly explain your CA’s domain validation procedures and indicate which subsection of section 3.2.2.4 of the CA/Browser Forum’s Baseline Requirements you are complying with;
* Your CP, CPS, or combined CP/CPS MUST be updated at least every 365 days (more often is expected), and it must be reported in the CCADB in a “timely manner”, and failure to do either of these things will require that you file an incident report in Bugzilla;
* You MUST maintain links to all historic versions of each CP, CPS, or combined CP/CPS from the creation of included CA certificates until such certificate hierarchies are no longer trusted by the Mozilla root store, and if your CA certificate was included by Mozilla before December 31, 2022, then you still must maintain links for “reasonably available historic versions” of your CPs, CPSes, or combined CP/CPSes; and
* In the CCADB, if you elect to publish a JSON array of partial CRLs (rather than the full CRL), then the JSON Array of Partitioned CRLs must contain a critical Issuing Distribution Point extension, which shall include a URI whose value is derived from either the URI as encoded in the distributionPoint field of an issued certificate's CRL Distribution Points extension (see RFC 5280 section 5.2.5) or the URL included in the "JSON Array of Partitioned CRLs" field in the CCADB entry corresponding to the certificate for the issuing CA.
Finally, participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard user security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you very much for your continued cooperation in this pursuit.
Regards,
Ben Wilson
Mozilla CA Program Manager
== May 2022 CA Communication and Survey ==
