NETLOCK: Transition Plan for Mozilla Root Store Policy 7.5 by Deadline
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: kaluha.roland, Assigned: kaluha.roland)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Preliminary Incident Report
Summary
-
Incident description:
The NETLOCK Arany (Gold) Class Root CA certificate currently includes both TLS server authentication and S/MIME email protection trust bits. According to Mozilla Root Store Policy Section 7.5, Certification Authorities must transition away from combined trust bits, with a compliance deadline of December 31, 2028.However, the affected root CA certificate has a validity end date of December 6, 2028, which is prior to the stated compliance deadline. This creates ambiguity regarding whether active remediation steps (such as trust bit separation or root replacement) are required, or whether natural expiration of the root certificate satisfies the policy requirements.
This situation introduces a potential policy interpretation and compliance risk.
-
Relevant policies:
- Mozilla Root Store Policy – Section 7.5 (Separation of TLS and S/MIME trust bits)
- Mozilla Root Store Policy – General compliance requirements and timelines
-
Source of incident disclosure:
The issue was identified internally following Mozilla’s public communication regarding the Section 7.5 transition plan deadline of April 15.
|
||
Updated•10 days ago
|
|
||
Comment 1•10 days ago
|
||
See bug #2033033, which I believe satisfies as a Transition Plan. Netlock still needs to prepare a full incident report.
Dear Community Members,
please proceed with closing this ticket.
The issue will be further handled under ticket #2033033. We will upload the full incident report there shortly.
|
|
||
Comment 3•7 days ago
|
||
This ticket will be set to be closed on or about 2026-04-27.
|
|
||
Updated•15 hours ago
|
Description
•