I want to directly notify all CAs in the Mozilla program of the recently exposed issues with domain validation methods and of some upcoming deadlines. A draft is available below and at https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication
I would appreciate your prompt and constructive feedback on this message - I'd like to get it sent out this week. Thanks, Wayne ======================= Dear Certification Authority, Because 2018 has already generated some important news for Certification Authorities, we are sending this message to ensure that every CA in the Mozilla program is aware of the following current events and impending deadlines: 1. On 9-January, the CA “Let’s Encrypt” disclosed a vulnerability in the ACME domain validation method known as TLS-SNI-01, which is an implementation of the more general method described in BR 3.2.2.4.10. [1] A subsequent vulnerability was disclosed on 11-January affecting the validation method described in BR 3.2.2.4.9. [2] Mozilla expects all CAs to be monitoring discussion in the mozilla.dev.security.policy forum and for any CA that employs either of these methods to disclose that fact on the list. From now on, Mozilla expects that CAs will not use these methods unless they have implemented and disclosed a mitigation for the vulnerabilities that have been discovered. 2. On 19-December, significant concerns were raised about the reliability of the domain validation methods specified in BR 3.2.2.4.1 and 3.2.2.4.5. [3] Since then, discussions on the CA/Browser Forum Public list have resulted in a proposed ballot to prohibit the use of these methods after 1-August 2018. [4] If your CA uses either of these methods, please evaluate your implementation for vulnerabilities and be prepared to discontinue their use prior to the deadline if ballot 218 succeeds. 3. Sections 5.3.1 and 5.3.2 of Mozilla Root Store Policy version 2.5 [5] require CAs to publicly disclose (via CCADB [6]) all subordinate CA certificates including those used to issue email S/MIME certificates by 15-January unless they are technically constrained to a whitelist of domains. We have since changed the compliance deadline to 15-April 2018. Certificate monitors have detected over 200 certificates that currently do not comply with this new policy. [7] Please ensure that your CA is in compliance before 15-April 2018. 4. In our November 2017 CA Communication [8], Mozilla asked all CAs with roots enabled for websites (SSL) to complete a BR self-assessment [9] by 31-January and send it to Kathleen. If you have not yet done so, please complete this work. If you requested an extension, your deadline is 15-April 2018. 5. If you are one of the CAs that indicated in your response to the November 2017 CA Communication that you need more time to update your CPS to comply with version 2.5 of the Mozilla Root Store Policy, please complete the updates no later than 15-April 2018. Mozilla feels that four months is more than long enough to make a CPS change. 6. On 17-March 2017, in ballot 193, the CA/Browser Forum set a deadline of 1-March 2018 after which newly-issued SSL certificates must not have a validity period greater than 825 days, and the re-use of validation information must be limited to 825 days. As with all other baseline requirements, Mozilla expects all CAs in the program to comply. Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit. Regards, Wayne Thayer Mozilla CA Program Manager [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ [2] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/PiOiGCyuxCU [3] https://cabforum.org/pipermail/public/2017-December/012630.html [4] https://cabforum.org/pipermail/public/2018-January/012819.html [5] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ [6] http://ccadb.org/cas/intermediates [7] https://groups.google.com/d/msg/mozilla.dev.security.policy/sKhPTsIYNqs/Q-_ZKmDVAQAJ [8] https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication [9] https://wiki.mozilla.org/CA/BR_Self-Assessment _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
