All, Next week I expect to have a better capability for sending notification emails to CAs. The first email I would like to try this new tool on is regarding the CAs who have not disclosed all of their non-technically-constrained intermediate certificates in the CA Community in Salesforce (aka Common CA Database).
Those CAs may be seen in the table here: https://crt.sh/mozilla-disclosures#undisclosedsummary I will appreciate your thoughtful and constructive feedback on the following draft of the email. ~~ Subject: ACTION REQUIRED: Non-Disclosed non-technically-constrained Intermediate Certs Dear Certification Authority, You are receiving this email because our records indicate that there are non-technically-constrained intermediate certificates that chain up to your root certificates that are included in Mozilla’s program that have not been entered into the CA Community in Salesforce. Please complete this requirement by November 14, 2016. Soon after that date, Mozilla will begin discussions in the mozilla.dev.security.policy forum about action to take for any remaining non-disclosed non-technically-constrained intermediate certificates and the CAs who are responsible for those CA hierarchies. The following was stated in Mozilla’s March 2016 CA Communication (https://wiki.mozilla.org/CA:Communications#March_2016): Beginning with Version 2.1 of Mozilla's CA Certificate Policy, for any certificate which directly or transitively chains to the root certificates you currently have included in Mozilla's CA Certificate Program, which are capable of being used to issue new certificates, and which are not technically constrained as described in Section 9 of Mozilla's CA Certificate Inclusion Policy, you are required to provide public-facing documentation about the certificate verification requirements and annual public attestation of conformance to said requirements. This includes certificates owned by, operated by, or issued by third parties, whether or not those issuing certificates are already part of Mozilla's CA Certificate Program, if they have been cross-signed by a certificate that directly or transitively chains to your root certificate. To facilitate this public disclosure, Mozilla is requiring that these certificates, as well as their CP/CPS and audit statements, be entered into Mozilla's CA Community in Salesforce. This includes the full PEM data of every intermediate certificate that directly or transitively chains to your included root certificates, provided that the root certificate is enabled with the Websites trust bit and the intermediate certificate is not Technically Constrained, as described in Section 9 of Mozilla's CA Certificate Inclusion Policy. This also includes every variation of these certificates, in the event they were reissued, such as to change the contents of extensions or validity dates. Please see https://wiki.mozilla.org/CA:SalesforceCommunity for information about which intermediate certificate data you are expected to enter into the CA Community in Salesforce, and instructions on how to do so. Regards, Kathleen Wilson, Mozilla CA Program Manager ~~ Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
