All,
I would like to remind everyone about when these requirements for
non-technically-constrained intermediate certificates came into effect
for CAs in Mozilla’s program according to previous versions of Mozilla’s
Root Store Policy[1] and previous CA Communications[2].
February 2013: Mozilla published version 2.1 of its CA Certificate
Inclusion Policy[3], which introduced clauses #8, 9, and 10 requiring
that intermediate certificates must either be technically constrained or
be audited and publicly disclosed. Clause 11 added the requirement for
BR audits (ETSI: DVCP and OVCP certificate policies for publicly trusted
certificates - baseline requirements, WebTrust: and "SSL Baseline
Requirements Audit Criteria V1.1" (as applicable to SSL certificate
issuance)).
June 2017: Mozilla published version 2.5 of its Root Store Policy[4],
which specified in section 3.1.4 that audit statements must contain the
SHA256 fingerprint of each root and intermediate certificate that was in
scope of the audit. The pre-existing requirement for public-facing audit
statements (including BR audits) for non-technically-constrained
intermediate certs continued to remain in effect as described in
sections 3.1.2 and 5.3.
April 2017: Mozilla sent a CA Communication requiring response from all
CAs[5] that stated that all audit statements submitted to Mozilla must
be public-facing (not confidential), provided in English, and must
include the SHA1 or SHA256 fingerprint of each certificate issuer
covered by the audit scope.
November 2017: Mozilla sent a CA Communication requiring response from
all CAs[6] that had action items to review and confirm compliance with
version 2.5 of Mozilla's Root Store Policy and clarified that each audit
statement must include the SHA-256 fingerprint for each root and
intermediate certificate in scope of the audit.
September 2018: : Mozilla sent a CA Communication requiring response
from all CAs[7] that stated that Mozilla would start rejecting audit
statements that did not contain the required information. The
communication also noted that version 2.6.1 of Mozilla’s Root Store
policy added clarification to section 5.3.2 that newly-issued
intermediates that are not technically constrained that have a currently
valid audit report at the time of creation of the certificate, must
appear on the CA's next periodic audit reports.
Thanks,
Kathleen
[1] https://wiki.mozilla.org/CA/Root_Store_Policy_Archive
[2] https://wiki.mozilla.org/CA/Communications
[3] https://wiki.mozilla.org/CA:CertInclusionPolicyV2.1
[4] https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
[5] https://wiki.mozilla.org/CA/Communications#April_2017
[6]
https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication
[7]
https://wiki.mozilla.org/CA/Communications#September_2018_CA_Communication
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
