All, I have reviewed many of the CA operator survey responses, and I am working to present them in a structured and insightful way. I am also preparing an FAQ document that will provide further implementation and compliance guidance for CA operators to address many of the questions and concerns raised in their responses to the survey questions.
To facilitate the display of recent changes to the draft of MRSP 3.0, I have created an additional branch in GitHub—*Updates-from-Survey-Responses <https://github.com/mozilla/pkipolicy/tree/Updates-from-Survey-Responses>*—which reflects proposed revisions based on the feedback received. And, for a direct comparison between the language in the current MRSP 3.0 branch and this new GitHub branch, see: *Comparison of Branches <https://github.com/mozilla/pkipolicy/compare/695d6c318875a912a4a5ce3fa0d0f6aa1ca5f0d6%E2%80%A6a1a8afe442844db6b9048b4c6bc750ca49c43216>* . One other key step that I’m working on is to prepare MRSP 3.0 for publication on the Mozilla website, pending legal review. We are on track for this, and I want to reaffirm our commitment to the March 1, 2025, effective date. To ensure everyone is aligned with upcoming compliance milestones, here’s a brief overview of key dates (some of which are included in the new GitHub branch): - *January 1, 2025*: Newly included root CA certificates cannot be dual-purpose (i.e. enabled for both website authentication and email protection). Also, any new root CA certificates with the websites trust bit enabled must demonstrate automated issuance capabilities. - *March 1, 2025*: This is the official compliance date when new requirements take effect, unless otherwise specified. - *Annual audit periods beginning after March 1, 2025*: CA operators must begin identifying “parked CA keys” in their annual audit reports. - *Annual audit periods beginning after June 1, 2025*: A CA operator capable of issuing trusted TLS certificates must obtain a third party assessment of the maintenance and testing of its mass revocation plan. - *September 1, 2025*: All CA operators must have a mass revocation plan in place and begin the process to have it tested and evaluated (in accordance with the previous bullet). - *April 15, 2026*: Any CA operating a dual-purpose root (with both websites and email trust bits enabled) must submit a transition plan to Mozilla. - *December 31, 2028*: The final transition deadline, by which no root CA certificate will have both trust bits enabled. If you have any questions or need further clarification, please don't hesitate to reach out. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabCtkw-3iGHDncYU1wofFntos5daxgVm9wM_-3JPzV-FA%40mail.gmail.com.
