Confirmed users
510
edits
CA/Communications: Difference between revisions
m
→February 2025 CA Communication and Survey: minor edits
(Added Feb 2023 CA Communication) |
m (→February 2025 CA Communication and Survey: minor edits) |
||
| (13 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the Mozilla dev-security-policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org. | The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the Mozilla dev-security-policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org. | ||
== February 2025 CA Communication and Survey == | |||
'''Communication:''' | |||
Dear Certification Authority Operator, | |||
As part of Mozilla's commitment to maintaining a secure and transparent Web PKI ecosystem, we are finalizing amendments to the Mozilla Root Store Policy (MRSP), version 3.0, which we plan to publish soon with an effective date of March 1, 2025. https://github.com/mozilla/pkipolicy/blob/3.0/rootstore/policy.md | |||
To ensure the policy meets its objectives while addressing CA concerns, we invite CA operators to review the proposed changes and provide feedback via a short survey. This communication and survey aim to ensure that CA operators are aware of and prepared to comply with the upcoming policy updates. | |||
CAs are expected to comply, without exception, with the MRSP, and to ensure ongoing compliance, CAs should carefully review this policy and the changes in MRSP v.3.0. These changes have been discussed on the Mozilla dev-security-policy list. CAs that did not participate in such discussions or that have not yet reviewed those conversations should also read them to reduce the chance of confusion or misinterpretation. In accordance with MRSP § 4.2, CA operators are required to respond to the questions in the survey on or before 1:00 UTC, Saturday, February 15, 2025. | |||
Results will be reviewed by Mozilla and may be shared publicly to inform us regarding these and future changes to the MRSP. | |||
Survey Link: Redacted | |||
For questions, concerns, or issues related to this survey, please email certificates@mozilla.org. | |||
Thanks, | |||
Ben Wilson | |||
Mozilla CA Program | |||
'''Survey Responses:''' | |||
https://docs.google.com/spreadsheets/d/1Wjf7jFvI4C2MC1wBRrGT9MqFL_uKOiFBniz_IG-mHKg/edit?usp=sharing | |||
== August 2023 CA Communication and Survey == | |||
'''Communication and Survey:''' | |||
https://docs.google.com/document/d/1ieXSt3rJyOSopJnDp4wFGSugpk6pt5pJFJ55rkpb6Ks/edit?usp=sharing | |||
The purpose of this communication and survey is to ensure that CA operators are aware of and prepared to comply with changes to the Mozilla Root Store Policy (MRSP), which we plan to publish soon as version 2.9 with an effective date of September 1, 2023. | |||
The most significant changes to v2.9 of MRSP are: | |||
# Retirement of Older Root CA Certificates | |||
#* https://wiki.mozilla.org/CA/Root_CA_Lifecycles | |||
# Compliance with the CABF’s S/MIME BRs | |||
#* https://wiki.mozilla.org/CA/Transition_SMIME_BRs | |||
# Security Vulnerability Reporting | |||
#* https://wiki.mozilla.org/CA/Vulnerability_Disclosure | |||
# Removed duplication with CCADB Policy regarding Audit Requirements | |||
#* https://www.ccadb.org/policy | |||
# Annual Submission of CCADB Compliance Self-Assessment | |||
#* https://www.ccadb.org/cas/self-assessment | |||
# Elimination of SHA-1 | |||
'''Survey Responses:''' | |||
https://docs.google.com/spreadsheets/d/1xJ6VRs2R0tw3-QHoIRzIIO8MWWoqNs576KOxPKYsp3w/edit?usp=sharing | |||
== February 2023 CA Communication == | == February 2023 CA Communication == | ||
| Line 19: | Line 70: | ||
Ben Wilson | Ben Wilson | ||
Mozilla CA Program Manager | Mozilla CA Program Manager | ||
== May 2022 CA Communication and Survey == | == May 2022 CA Communication and Survey == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS Read-only copy of May 2022 CA Communication and Survey] | ||
** This link is '''Read Only'''. To submit your responses, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** This link is '''Read Only'''. To submit your responses, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2022 CA Communication and Survey' survey. | ||
** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields. | ** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields. | ||
| Line 31: | Line 81: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00160,Q00161 Responses to Item 1] -- Compliance with MRSP v. 2.8 | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00162,Q00163 Responses to Item 2] -- "Incidents" include audit findings | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00164,Q00165 Responses to Item 3] -- Auditor membership in ACAB'c and WebTrust | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00166,Q00167,Q00168 Responses to Item 4] -- Online Archival of CPs and CPSes | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00169,Q00170 Responses to Item 5] -- Full CRLs for Intermediate TLS CAs in CCADB | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00171,Q00172 Responses to Item 6.1] -- Sunsetting of SHA1 for S/MIME Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00173,Q00174 Responses to Item 6.2] -- Sunsetting of SHA1 for Other Types of Signing | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176 Responses to Item 7] -- Publicly Disclose Intermediate CA Certificates capable of Issuing TLS or S/MIME | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00177,Q00178 Responses to Item 8] -- Misissuance of Certificate Transparency Precertificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00179,Q00180,Q00181 Responses to Item 9] -- CRL Revocation Reasons for TLS Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00182,Q00183 Responses to Item 10] -- Public Review of Unconstrained Externally-Operated Subordinate CAs | ||
== February 2022 CA Communication == | == February 2022 CA Communication == | ||
| Line 62: | Line 112: | ||
== April 2021 CA Communication == | == April 2021 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a054o00000EL1Fo Read-only copy of April 2021 CA Communication] | ||
** This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the ' | ** This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2021 CA Communication' survey. | ||
** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields. | ** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields. | ||
| Line 73: | Line 123: | ||
Please review version 2.7.1 of [https://www.mozilla.org/projects/security/certs/policy/ Mozilla’s Root Store Policy] internally, and with your auditors as well. After you and your auditors have reviewed these new requirements, complete the April 2021 survey via the Common CA Database (CCADB). This survey also contains information regarding other recent and upcoming changes that may affect your practices. Read all survey questions first before beginning to respond. | Please review version 2.7.1 of [https://www.mozilla.org/projects/security/certs/policy/ Mozilla’s Root Store Policy] internally, and with your auditors as well. After you and your auditors have reviewed these new requirements, complete the April 2021 survey via the Common CA Database (CCADB). This survey also contains information regarding other recent and upcoming changes that may affect your practices. Read all survey questions first before beginning to respond. | ||
<br><br> | <br><br> | ||
To respond to this survey, [https://ccadb.org/cas/ log in to the CCADB], click on the ' | To respond to this survey, [https://ccadb.org/cas/ log in to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2021 CA Communication' survey. All CAs with root certificates included in Mozilla’s root store must submit their responses by 30-April-2021. | ||
<br><br> | <br><br> | ||
A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | ||
| Line 86: | Line 136: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00129,Q00142 Responses to Item 1] -- Review Version 2.7.1 of Mozilla's Root Store Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00131,Q00149,Q00143 Responses to Item 2] -- 398-day reuse period on domain/IP address validation | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00132,Q00144 Responses to Item 3] -- Clarification about EV Audit Requirements | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00133,Q00145 Responses to Item 4] -- Annual Audit Covering the CA Key Pair Lifecycle | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00136,Q00146 Responses to Item 5] -- Audit Team Qualifications | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00137,Q00147 Responses to Item 6] -- List of Incidents in Audit Reports | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00140,Q00150,Q00148 Responses to Item 7] -- Methods to Demonstrate Key Compromise | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00141,Q00157,Q00159 Responses to Item 8] -- Removal of Old Root CA Certificates (challenges and alternatives) | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00156,Q00151,Q00158 Responses to Item 8 timelines] -- Timelines and strategies to replace old, non-BR compliant CA hierarchies and root certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00152,Q00155,Q00153 Responses to Item 9] -- Audit Letter Validation on Intermediate Certificates | ||
== May 2020 CA Communication == | == May 2020 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J000042AUSv Read-only copy of May 2020 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2020 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields. | ||
<br /> | <br /> | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 105: | Line 155: | ||
<br>This survey requests your input on current policy and upcoming policy changes that affect you as a participant in Mozilla's CA Certificate Program. | <br>This survey requests your input on current policy and upcoming policy changes that affect you as a participant in Mozilla's CA Certificate Program. | ||
<br> | <br> | ||
<br>To respond to this survey, [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | <br>To respond to this survey, [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2020 CA Communication' survey. All CAs with root certificates included in Mozilla’s root store must submit their responses by 31-May 2020. | ||
<br> | <br> | ||
<br>A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | <br>A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | ||
| Line 118: | Line 168: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00099,Q00100 Responses to Item 1] -- Impact of COVID-19 Restrictions | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00101,Q00102, Responses to Item 2] -- Mozilla Root Store Policy version 2.7 Requirements and Deadlines | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00103,Q00104 Responses to Item 3] -- Reducing Maximum Validity Period for TLS Certificates | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00105,Q00106,Q00107 Responses to Sub Item 3.1] -- Limit TLS Certificates to 398-day validity | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00108,Q00109,Q00110 Responses to Sub Item 3.2] -- Limit re-use of domain name and IP address verification to 398 days | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00111,Q00112 Responses to Item 4] -- CA/Browser Forum Ballot for Browser Alignment | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00113,Q00114,Q00115 Responses to Sub Item 4.1] -- CA/Browser Forum defined-policy OID in Subscriber Cert certificatePolicies | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00116,Q00117,Q00118 Responses to Sub Item 4.2] -- Byte-for-byte Identical Issuer and Subject Distinguished Names | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00119,Q00120,Q00121 Responses to Sub Item 4.3] -- Text-searchable PDF Audit Statements | ||
** [https://ccadb | ** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00122,Q00123,Q00124 Responses to Sub Item 4.4] -- OCSP Requirements | ||
== January 2020 CA Communication == | == January 2020 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003waNOW Read-only copy of January 2020 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2020 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields. | ||
<br /> | <br /> | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 139: | Line 189: | ||
<br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions. | <br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions. | ||
<br> | <br> | ||
<br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], click on the 'CA | <br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the ‘January 2020 CA Communication' survey. Please enter your response by 31 January 2020. | ||
<br> | <br> | ||
<br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | <br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | ||
| Line 153: | Line 203: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00082,Q00083 Responses to Action 1] -- Review Mozilla Root Store Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00084,Q00085,Q00098 Responses to Action 2] -- Update CP/CPS | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00086,Q00087,Q00097 Responses to Action 3] -- Include EKUs in All End-entity Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00088,Q00089 Responses to Action 4] -- Ensure Audit Reports are Properly Formatted | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00090,Q00096,Q00091 Responses to Action 5] -- Resolve Audit Issues with Intermediate Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00092,Q00093 Responses to Action 6] -- Incident Reporting | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00094,Q00095 Responses to Action 7] -- Compliance with BRs | ||
== November 2018 CA Communication (Underscores in dNSNames) == | == November 2018 CA Communication (Underscores in dNSNames) == | ||
| Line 201: | Line 251: | ||
== September 2018 CA Communication == | == September 2018 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL Read-only copy of September 2018 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'September 2018 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields. | ||
<br /> | <br /> | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 210: | Line 260: | ||
<br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions. | <br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions. | ||
<br> | <br> | ||
<br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], click on the 'CA | <br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the ‘September 2018 CA Communication' survey. Please enter your response by 30-September 2018. | ||
<br> | <br> | ||
<br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | <br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system. | ||
| Line 224: | Line 274: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00068,Q00069 Responses to Action 1] -- Review Mozilla Root Store Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00070,Q00071 Responses to Action 2] -- Update CP/CPS | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00072,Q00073 Responses to Action 3] -- Transition to Separate Intermediate Certificates for SSL and S/MIME | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00074,Q00075 Responses to Action 4] -- Ensure Audit Reports comply with Mozilla’s Root Store Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00076,Q00077 Responses to Action 5] -- Discontinue use of BR Validation Methods 3.2.2.4.1 and 3.2.2.4.5 | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079 Responses to Action 6] -- Disclose Intermediate Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00080,Q00081 Responses to Action 7] -- Submit TLS Certificates to CT Logs for Mozilla's CRLite | ||
== January 2018 CA Communication == | == January 2018 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003mqMFN Read-only copy of January 2018 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2018 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields. | ||
<br /> | <br /> | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 248: | Line 298: | ||
This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. | This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. | ||
<br /><br /> | <br /><br /> | ||
To respond to this survey, login to the Common CA Database (CCADB), click on the 'CA | To respond to this survey, login to the Common CA Database (CCADB), then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2018 CA Communication' survey. Please enter your response by 9-February 2018. | ||
<br /><br /> | <br /><br /> | ||
A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system. | A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system. | ||
| Line 262: | Line 312: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00056,Q00057 Responses to Action 1] -- Disclose Use of Methods 3.2.2.4.9 or 3.2.2.4.10 for Domain Validation | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00058,Q00059 Responses to Action 2] -- Disclose Use of Methods 3.2.2.4.1 or 3.2.2.4.5 for Domain Validation | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00060,Q00061 Responses to Action 3] -- Disclose All Non-Technically-Constrained Subordinate CA Certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00062,Q00063 Responses to Action 4] -- Complete BR Self Assessment | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00064,Q00065 Responses to Action 5] -- Update CP/CPS to Comply with version 2.5 of Mozilla Root Store Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00066,Q00067 Responses to Action 6] -- Reduce SSL Certificate Validity Periods to 825 Days or Less by March 1, 2018 | ||
== November 2017 CA Communication == | == November 2017 CA Communication == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7 Read-only copy of November 2017 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'November 2017 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields. | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 283: | Line 333: | ||
This survey requests a set of actions on your behalf, as a participant in [[CA|Mozilla's CA Certificate Program]]. | This survey requests a set of actions on your behalf, as a participant in [[CA|Mozilla's CA Certificate Program]]. | ||
To respond to this survey, login to the [http://ccadb.org/cas Common CA Database (CCADB)], click on the 'CA | To respond to this survey, login to the [http://ccadb.org/cas Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'November 2017 CA Communication' survey. Please enter your response by December 15, 2017. | ||
A compiled list of CA responses to the survey action items will be [[CA/Communications|automatically and immediately published]] by the CCADB system. | A compiled list of CA responses to the survey action items will be [[CA/Communications|automatically and immediately published]] by the CCADB system. | ||
| Line 297: | Line 347: | ||
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00035,Q00036 Responses to Action 1] -- Full compliance with version 2.5 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00037,Q00044 Responses to Action 2] -- non-technically-constrained intermediate certificates must be [http://ccadb.org/cas/intermediates disclosed in CCADB] within one week of creation. '''New requirements''' for [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained technical constraints on intermediate certificates issuing S/MIME certificates]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00038,Q00045 Responses to Action 3] -- Annual updates via [http://ccadb.org/cas/updates CCADB Audit Cases] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00050,Q00051 Responses to Action 4] -- Reiterate [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#audit-parameters audit requirements] and '''penalty for incomplete audit statements''' | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00039,Q00046 Responses to Action 5] -- Perform a [[CA/BR_Self-Assessment|BR Self Assessment]] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00042,Q00048 Responses to Action 6] -- Provide tested email address for [https://ccadb.my.salesforce-sites.com/mozilla/CAInformationReport Problem Reporting Mechanism] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00040,Q00047 Responses to Action 7] -- Follow new developments and effective dates for [http://tools.ietf.org/html/rfc6844 Certification Authority Authorization (CAA)] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00052,Q00053 Responses to Action 8] -- Check [https://groups.google.com/d/msg/mozilla.dev.security.policy/4kj8Jeem0EU/GvqsgIzSAAAJ issuance of certs to .tg domains] from October 25 to November 11, 2017. | ||
== May 2017 - Announcing CCADB Changes == | == May 2017 - Announcing CCADB Changes == | ||
| Line 358: | Line 408: | ||
Note: The deadline to reply to this survey has [https://groups.google.com/d/msg/mozilla.dev.security.policy/03rdTdnm7iw/NQUHmWOcEAAJ been extended] by one week, to May 5, 2017. | Note: The deadline to reply to this survey has [https://groups.google.com/d/msg/mozilla.dev.security.policy/03rdTdnm7iw/NQUHmWOcEAAJ been extended] by one week, to May 5, 2017. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a05o000003WrzBC Read-only copy of April 2017 CA Communication] | ||
** CAs: This link is '''Read Only'''. To submit your response, you must [https://ccadb.force.com/CustomLogin login to the CCADB], click on the 'CA | ** CAs: This link is '''Read Only'''. To submit your response, you must [https://ccadb.force.com/CustomLogin login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2017 CA Communication' survey. Make sure you click on the 'Submit' button at the bottom of the survey, and make sure you get a good 'survey submitted' response -- there are required fields. | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 365: | Line 415: | ||
This survey requests a set of actions on your behalf, as a participant in [[CA:IncludedCAs|Mozilla's CA Certificate Program]]. | This survey requests a set of actions on your behalf, as a participant in [[CA:IncludedCAs|Mozilla's CA Certificate Program]]. | ||
To respond to this survey, [https://mozillacacommunity.force.com/CustomLogin login to the Common CA Database (CCADB)], click on the 'CA | To respond to this survey, [https://mozillacacommunity.force.com/CustomLogin login to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2017 CA Communication' survey. Please enter your response by April 28, 2017. | ||
A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system. | A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system. | ||
| Line 381: | Line 431: | ||
The reports in the following links are automatically generated from data in the [[CA:CommonCADatabase|Common CA Database]]. | The reports in the following links are automatically generated from data in the [[CA:CommonCADatabase|Common CA Database]]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00015,Q00030 Responses to Action 1] -- Domain Validation | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00016,Q00025 Responses to Action 2 and Action 10] -- Yearly CP/CPS Updates, Test Tools | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00022,Q00029 Responses to Action 3] -- Updated Mozilla CA Certificate Policy | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00017,Q00031 Responses to Action 4] -- Audit Statements, annual updates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00018,Q00032 Responses to Action 5] -- Audit Statement Contents | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00021,Q00033 Responses to Action 6] -- Qualified Audit Statements | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00019 Responses to Action 7] -- BR Compliance Bugs | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00020&QuestionIdForText=Q00026 Responses to Action 8] -- Confirm Completion of Previous Commitments | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00027 Responses to Action 9] -- Registration Authorities | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00016,Q00025 Responses to Action 10 and Action 2] -- Yearly CP/CPS Updates, Test Tools | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00023 Responses to Action 11] -- Certification Authority Authorization (CAA) | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00028 Responses to Action 12] -- Problem Reporting Mechanism | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00024 Responses to Action 13] -- SHA-1 and S/MIME | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00034 Responses to Action 14] -- Certificate Validity Periods in TLS/SSL Certs | ||
== March 2016 == | == March 2016 == | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a05o000000iHdtx Read-only copy of March 2016 CA Communication] | ||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 404: | Line 454: | ||
This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program, by April 22, 2016. | This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program, by April 22, 2016. | ||
To respond to this survey, please login to the [[CA:SalesforceCommunity|CA Community in Salesforce]], click on the 'CA | To respond to this survey, please login to the [[CA:SalesforceCommunity|CA Community in Salesforce]], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'March 2016 CA Communication' survey. Please enter your response by April 22, 2016. | ||
A compiled list of CA responses to the survey action items will be [[CA:Communications#March_2016_Responses|automatically and immediately published]] by Salesforce. | A compiled list of CA responses to the survey action items will be [[CA:Communications#March_2016_Responses|automatically and immediately published]] by Salesforce. | ||
| Line 420: | Line 470: | ||
The following links are automatically generated from data in the [[CA:SalesforceCommunity|CA Community in Salesforce]]. | The following links are automatically generated from data in the [[CA:SalesforceCommunity|CA Community in Salesforce]]. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommSummaryReport?CommunicationID=a05o000000iHdtx CA Responses to March 2016 CA Communication] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00001,Q00013 Responses to Action #1a] -- SHA-1 Deprecation dates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00002,Q00014 Responses to Action #1b] -- SHA-1 Deprecation dates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00010&QuestionIdForText=Q00011 Responses to Action #1c] -- SHA-1 Deprecation | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00004 Responses to Action #2] -- Entering intermediate certificate data into the CA Community in Salesforce | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00005 Responses to Action #3] -- Entering revoked intermediate certificate data into the CA Community in Salesforce | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00006&QuestionIdForText=Q00007 Responses to Action #4] -- [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Removing workarounds]] to compatibility issues that were encountered involving certificates that did not conform to the Baseline Requirements. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00008 Responses to Action #5] -- Plans to remove old/retired root certificates | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00009 Responses to Action #6] -- Confirmation of understanding that all certificates, including test certificates, must conform to stated policies | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00012 Responses to Action #7] -- [[CA:RootTransferPolicy|Mozilla's Root Transfer Policy]] | ||
== May 2015 == | == May 2015 == | ||
| Line 440: | Line 490: | ||
Your Survey Link: | Your Survey Link: | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/TakeSurvey?id=a04o000000M89RCAAZ&cId=&caId=none Survey Link] -- '''IMPORTANT: CA's do NOT use the link in this wiki page! This link will NOT record your response. Please use the link that was emailed to you.''' | ||
Please use the above link to read and respond to the action items. Note that you may access the above link multiple times to update your responses. | Please use the above link to read and respond to the action items. Note that you may access the above link multiple times to update your responses. | ||
| Line 456: | Line 506: | ||
=== May 2015 Responses === | === May 2015 Responses === | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ CA Responses to May 2015 CA Communication] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%233:%20After%20January%201,%202016 Responses to Action #3] -- SHA-1 Deprecation Plans | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented Responses to Action #4] -- Removing workarounds implemented to allow mozilla::pkix to handle the things listed here https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix. | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%235:%20We%20wish%20to%20understand%20what%20support Responses to Action #5] -- IPv6 survey | ||
== May 2014 == | == May 2014 == | ||