January 2018 CA Communication

 

Dear Certification Authority,

2018 has already generated some important news for Certification Authorities, and as a result we are sending this message to ensure that every CA in the Mozilla program is aware of current events and impending deadlines.

This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program.

To respond to this survey, login to the Common CA Database (CCADB), click on the 'CA Communications (Page)' tab, and select the 'January 2018 CA Communication' survey. Please enter your response by 9-February 2018.

A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system.

Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.

Regards,

Wayne Thayer
Mozilla CA Program Manager

ACTION 1: Disclose Use of Methods 3.2.2.4.9 or 3.2.2.4.10 for Domain Validation
On 9-January, the CA “Let’s Encrypt” disclosed a vulnerability in the ACME domain validation methods known as TLS-SNI-01 and TLS-SNI-02, which are implementations of the more general method described in Baseline Requirements 3.2.2.4.10. A subsequent vulnerability was disclosed on 11-January affecting the validation method described in BR 3.2.2.4.9. Mozilla expects all CAs to be monitoring discussion in the mozilla.dev.security.policy forum and for any CA that employs either of these methods to disclose that fact on the list. From now on, Mozilla expects that CAs will not use these methods unless they have implemented and disclosed a mitigation for the vulnerabilities that have been discovered.

Please select the correct response for your CA: (Required)

ACTION 1 COMMENTS

ACTION 2: Disclose Use of Methods 3.2.2.4.1 or 3.2.2.4.5 for Domain Validation

On 19-December, significant concerns were raised about the reliability of the domain validation methods specified in BR 3.2.2.4.1 and 3.2.2.4.5. Since then, discussions on the CA/Browser Forum Public list have resulted in a proposed ballot to prohibit the use of these methods after 1-August 2018. Rather than accept the risk of continued use of these methods, Mozilla may decide to set an earlier deadline such as 1-March 2018. If your CA uses either of these methods, please evaluate your implementation for vulnerabilities, follow the discussion closely, and be prepared to quickly discontinue your use of these methods of domain validation.

Please select the correct response for your CA: (Required)

ACTION 2 COMMENTS (please include any exceptions to the response you selected above)

ACTION 3: Disclose All Non-Technically-Constrained Subordinate CA Certificates

Sections 5.3.1 and 5.3.2 of Mozilla Root Store Policy version 2.5 require CAs to publicly disclose (via CCADB) all subordinate CA certificates including those used to issue email S/MIME certificates by 15-January unless they are technically constrained via both EKU and Name Constraints to a set of validated domains. We have since changed the compliance deadline to 15-April 2018. Certificate monitors have detected over 200 certificates that currently do not comply with this new policy. Please ensure that your CA is in compliance before 15-April 2018.

Please select the correct response for your CA: (Required)

ACTION 3 COMMENTS

ACTION 4: Complete BR Self Assessment

In our November 2017 CA Communication, Mozilla asked all CAs with roots enabled for websites (SSL) to complete a BR self-assessment by 31-January and send it to Kathleen. If you have not yet done so, please complete this work. If you requested an extension, your deadline is 15-April 2018.

Please select the correct response for your CA: (Required)

ACTION 4 COMMENTS

ACTION 5: Update CP/CPS to Comply with version 2.5 of Mozilla Root Store Policy

If you are one of the CAs that indicated in your response to the November 2017 CA Communication that you need more time to update your CP/CPS to comply with version 2.5 of the Mozilla Root Store Policy, please complete the updates no later than 15-April 2018. Mozilla feels that four months is more than long enough to make a CP/CPS change.

Please select the correct response for your CA: (Required)

ACTION 5 COMMENTS

ACTION 6: Reduce SSL Certificate Validity Periods to 825 Days or Less by March 1, 2018

On 17-March 2017, in ballot 193, the CA/Browser Forum set a deadline of 1-March 2018 after which newly-issued SSL certificates must not have a validity period greater than 825 days, and the re-use of validation information must be limited to 825 days. As with all other baseline requirements, Mozilla expects all CAs in the program to comply.

Please select the correct response for your CA: (Required)

ACTION 6 COMMENTS