Dear Ono-san, Thank you for your questions regarding how to submit a dual-root transition plan required by MRSP Section 7.5.3. I am still finalizing the process for how transition plans should be submitted, and I will post such guidance on the Mozilla CA wiki. However, at this time, the preferred method will be to post the transition plan in a "CA Certificate Root Program" bug <https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Certificate%20Root%20Program> (e.g., titled “Remove Email Trust Bit from CA XYZ”, or similar). Filing a certificate change bug in the CA Certificate Root Program component of Bugzilla will itself initiate the change request and get the process started. See https://wiki.mozilla.org/CA/Certificate_Change_Process. Alternatively, the plan could be filed in the CA Documents component <https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Documents> in Bugzilla. Either of these approaches ensures transparency and allows the community to be aware of the CA operator’s progress and intentions. Or, the less-preferred method would be, if a CA operator strongly believes that the transition plan contains sensitive or proprietary information, to submit the plan on or before April 15, 2026, by email to [email protected]. If that approach is taken, a redacted or other transition plan would still need to be uploaded to Bugzilla after the April 15, 2026, date.
As for the format and content, we do not currently require a rigid template (I've pasted something below as guidance, if helpful). However, the plan must clearly address how the CA operator will meet Mozilla’s requirement to migrate away from dual-use roots by December 31, 2028. This means the plan must include either removal of the websites or email trust bit or the root itself from our certdata.txt file. Please note that all transition plans should focus only on Mozilla’s requirements, not those of other root programs, and you do not need to include unnecessary implementation detail—just ensure that your plan is clear, reasonable, and demonstrates how the root CA will be migrated away from dual-use by the December 31, 2028, deadline. We’ll continue to monitor the types of plans received and may provide additional guidance later if necessary. Thanks, Ben *Root Transition Plan Template* *CA Operator Name:* [Insert name of the CA operator] *Root CA Certificate:* [Insert full subject DN and SHA256 hash of the affected root certificate] *Summary Description of the Plan:* Please describe, in one or two paragraphs, how your organization plans to transition away from using this root certificate as a dual-use root. Indicate which of the following actions will be taken: _____ Request to remove the *email* trust bit _____ Request to remove the *websites* trust bit _____ Request to remove the *root* _____ *Other* (Explain) *Transition Timeline:* Please provide relevant dates and milestones. Example entries might include: - Date to submit change request: [MM/DD/YYYY] - Last issuance of conflicting certificates: [MM/DD/YYYY] - Expiration date of last affected certificate: [MM/DD/YYYY] - Planned date of removal: [MM/DD/YYYY] - Estimated date for inclusion of new single-purpose root(s) (if applicable): [MM/DD/YYYY] *Additional Notes (Optional):* Use this space to provide any other relevant information to support your plan or clarify timelines. On Sun, Mar 30, 2025 at 8:43 PM Fumiaki ONO <[email protected]> wrote: > Hello Ben-san, > > We have a question about MRSP Section 7.5.3. > How should we submit the transition plan? > If there are any specifications for the format or where to send it, we > would appreciate it if you could let us know. > > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > > 7.5.3 Transition Plan for Existing Roots > > Root CA certificates included in Mozilla's Root Store as of January 1, > 2025, that have both the websites and the email trust bits enabled MAY > remain trusted after April 15, 2026, if the CA operator has submitted a > transition plan by April 15, 2026, to migrate to dedicated hierarchies by > December 31, 2028. > > Best regards, > > ONO Fumiaki / 大野 文彰 > SECOM Trust Systems Co., Ltd. > > 2025年2月25日火曜日 8:18:50 UTC+9 Ben Wilson: > > Greetings all, > The final version of MRSP v.3.0 is now published > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> > with an effective date of March 15, 2025. Please review and let me know if > you spot any issues. > Thanks, > Ben > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab7MKw4dBrSf6FNEFwqPe6vkXiax6koibpRe3uW7US_BQ%40mail.gmail.com.
