January 2020 CA Communication

 

Dear Certification Authority,

Mozilla’s Root Store Policy was recently updated. The 2.7 version went into effect on 1-January 2020. This version contains a number of changes that may affect your organization and require you to take action to comply. Please review Mozilla’s updated Root Store Policy and complete the January 2020 survey via the Common CA Database (CCADB). This survey also contains information regarding other recent and upcoming changes that may affect your Certificate Authority (CA).

To respond to this survey, log in to the Common CA Database (CCADB), click on the 'CA Communications (Page)' tab, and select the ‘January 2020 CA Communication' survey. All CAs with root certificates included in Mozilla’s root store must submit their responses by 31-January 2020.

A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system.

Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.

Regards,
Wayne Thayer
Mozilla CA Program Manager

ACTION 1: Review Mozilla Root Store Policy

Read version 2.7 of Mozilla’s Root Store Policy. CAs are expected to comply without exception with Version 2.7 of Mozilla's Root Store Policy. CAs MUST review this policy and ensure compliance, and CAs SHOULD carefully review the differences from previous versions of Mozilla's policy. These changes have been discussed on the mozilla.dev.security.policy mailing list. CAs that did not participate in these discussions or that have not yet reviewed these conversations should also read the discussions regarding these changes, to reduce the chance of confusion or misinterpretation. (Required)

ACTION 1 COMMENTS

ACTION 2: Update CP/CPS

Ensure that your CP/CPS complies with the following requirements that were added to section 3.3 of Mozilla’s Root Store Policy:

  • CP/CPS versions dated after March 2020 cannot contain blank sections and must - in accordance with RFC 3647 - only use “No Stipulation” to mean that no requirements are imposed.

  • CAs must provide a way to clearly determine which CP and CPS applies to each of its root and intermediate certificates. The easiest way to do this is to only have one CP/CPS. If you have multiple policy documents, then the CA certificates that the documents apply to may be listed in the document, or policy OIDs that are present in the CA certificates may be listed in the documents that govern them. It is not sufficient for a CA to include policy OIDs in end-entity certificates when multiple policy documents may apply to a given subordinate CA.
(Required)

ACTION 2 DATE

ACTION 2 COMMENTS

ACTION 3: Include EKUs in All End-entity Certificates

Beginning on 1-July, 2020, section 5.2 of Mozilla's Root Store Policy states that new end-entity certificates MUST include an EKU extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. (Required)

ACTION 3 DATE

ACTION 3 COMMENTS

ACTION 4: Ensure Audit Reports are Properly Formatted

We have implemented automated audit letter validation (ALV) to process audit cases submitted to the CCADB. To improve the success rate of ALV, please ensure that your auditors comply with the following requirements in all future audit statements. This has been added to the CCADB Policy (section 5.1), and is especially important now that we have extended ALV to intermediate certificates.

  • Dates

    • Accepted date formats (month names in English):

      • Month DD, YYYY example: May 7, 2016

      • DD Month YYYY example: 7 May 2016

      • YYYY-MM-DD example: 2016-05-07


    • No extra text within the date, such as “7th” or “the”


  • SHA256 Thumbprint

    • No colons, no spaces, and no linefeeds

    • Uppercase letters

    • Should be encoded in the document (PDF) as “selectable” text, not an image

(Required)

ACTION 4 COMMENTS

ACTION 5: Resolve Audit Issues with Intermediate Certificates

CAs have a new task list item on their CCADB home page called “Intermediate Certs with Failed ALV Results”. If you have any items listed here, follow the published instructions to resolve them. (Required)

ACTION 5 DATE

ACTION 5 COMMENTS

ACTION 6: Incident Reporting

Incident report requirements have been clarified in section 2.4 of Mozilla’s Root Store Policy. A few changes have been made to our wiki page providing guidance on incident reporting. Please ensure that you are aware of Mozilla’s expectations and are prepared to provide good incident reports (Here is an example). (Required)

ACTION 6 COMMENTS

ACTION 7: Compliance with BRs

A number of updates have been made to the CA/Browser Forum Baseline Requirements since our last CA communication, including improvements to IP address validation methods. Mozilla expects CAs to follow and comply with changes to all relevant CA/Browser Forum guidelines as they are made, and to promptly update the CA’s policy documents to reflect these changes when necessary. To assist in this task, Mozilla has recently updated the BR Self Assessment template. (Required)

ACTION 7 COMMENTS