Thank you to all of you who responded to the May 2020 CA
Communication/Survey.
Communication/Survey:
https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication
Blog Post:
https://blog.mozilla.org/security/2020/05/08/may-2020-ca-communication/
Responses:
https://wiki.mozilla.org/CA/Communications#May_2020_Responses
Summary of Results:
* Item 1 -- Impact of COVID-19 Restrictions
Everyone responded with: "We have reviewed
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay and understand
the action to take if we need to report issues to Mozilla."
* Item 2 -- Mozilla Root Store Policy version 2.7 Requirements and Deadlines
Most CAs responded with: "Our responses to the January 2020 CA
Communication have not changed, and we will meet these requirements
according to the dates we previously specified."
Some CAs indicated the work that they are still doing. I did not notice
any alarming responses.
* Item 3 -- Reducing Maximum Validity Period for TLS Certificates
** Sub Item 3.1 -- Limit TLS Certificates to 398-day validity
(https://github.com/mozilla/pkipolicy/issues/204)
Most CAs who are issuing TLS certificates indicated their intent to
limit TLS certificate validity period to 398 days or less for
certificates issued after September 1, 2020.
Some CAs are already issuing TLS certs with shorter validity periods,
and others indicated that they would be able to implement shorter
validity periods by the date Mozilla specifies in its policy.
Many CAs voiced discontent with the way this requirement came about. To
quote one CA: "Root programs should not place binding requirements on
CAs via email messages without corresponding root policy updates, or at
a minimum, a blog or announcement that can be referenced as a an
authoritative trusted source."
** Sub Item 3.2 -- Limit re-use of domain name and IP address
verification to 398 days
(https://github.com/mozilla/pkipolicy/issues/206)
19 CAs responded that they either do not re-use domain verification, or
that their re-use of domain verification is already less than 398 days.
11 CAs indicated that they could implement the changes to their
processes and documentation to limit the re-use of domain name
verification to 398 days or less before 2020 Sep 30, 2020
9 CAs shared the sentiment that they would prefer that the re-use of
verification information be regulated by the CA/Browser Forum Baseline
Requirements.
A few CAs indicated that this requirement would cause extra work for
their customers, and requested a detailed security analysis of this
change which they could convey to their customers.
One CA noted: "If there is a change to reuse requirements, it should
only apply to data verified on or after the effective date of the
change. This change should not apply to data verified before the
effective date of the change to avoid creating a verification cliff for
the CAs and Subscribers. Note, if Mozilla requires that a domain name or
IP address is re-verified each time a TLS certificate is issued, then
this will reduce the effectivity of a number of verification
methodologies that can be used and could impact many ecosystems which
rely on TLS."
* Item 4 -- CA/Browser Forum Ballot for Browser Alignment
** Sub Item 4.1 -- CA/Browser Forum defined-policy OID in Subscriber
Cert certificatePolicies
(https://github.com/mozilla/pkipolicy/issues/212)
With the exception of one CA, every CA that is issuing TLS certs
responded that they either already do this, or can do this by September
30, 2020.
** Sub Item 4.2 -- Byte-for-byte Identical Issuer and Subject
Distinguished Names
(https://github.com/mozilla/pkipolicy/issues/213)
Most CAs already do this, but a few CAs indicated that they would need
some time for further analysis and making changes which appear do-able
for future cert issuance.
Note: I would not want this to cause lots of revocations of existing
certs, so prefer a future effective date.
A couple CAs indicated that the second part of the requirement should be
restricted to subCAs.
Note: This change is already under consideration per discussion in the CABF.
** Sub Item 4.3 -- Text-searchable PDF Audit Statements
(https://github.com/mozilla/pkipolicy/issues/210)
All CAs indicated that either they already do this, or that they can do
this for their next audits.
** Sub Item 4.4 -- OCSP Requirements
(https://github.com/mozilla/pkipolicy/issues/211)
All CAs indicated that they either already do this, or can do this by
September 2020. (Note that one CA said October 14, 2020)
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
