Updating Mozilla's CA Certificate Policy - Version 2.2

RESOLVED FIXED

Status

task
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: kwilson, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

The proposed draft of version 2.2 of Mozilla’s CA Certificate Policy is here:

http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/

The proposed changes are as follows.

~~~ Inclusion Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html

* Change item #12 to require version 1.1.3 of the Baseline Requirements, rather than version 1.1.
"12. CA operations and issuance of certificates to be used for SSL-enabled servers must also conform to version *1.1.3* of the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. ..."


~~~ Maintenance Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/MaintenancePolicy.html

* In item #6, change "and" to "or".
"6. ... If we are not able to contact a CA, *or* do not have current audit and policy documentation, then the CA's root certificates may be disabled or removed as described in the Enforcement Section of the Mozilla CA Certificate Policy"


~~~ Enforcement Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html

* Add item #3:
"3. One knowingly or intentionally mis-issued certificate by the CA (for example, a certificate that can be used for MITM or "traffic management" of domain names or IPs that the certificate holder does not legitimately own or control) will result in disablement (partially or fully) or removal of all of the CA's certificates from Mozilla's products."
Depends on: 868148
Gerv and Sid, do you agree with the following changes, and with publishing version 2.2 of Mozilla's CA Certificate Policy?

Item #3 of the enforcement policy has been updated based on discussion and legal review. Also, updated the inclusion policy to require BR version 1.1.5. 

The currently proposed changes are as follows.

~~~ Inclusion Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html

* Change item #12 to require version 1.1.5 of the Baseline Requirements, rather than version 1.1.
"12. CA operations and issuance of certificates to be used for SSL-enabled servers must also conform to version *1.1.5* of the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. ..."


~~~ Maintenance Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/MaintenancePolicy.html

* In item #6, change "and" to "or".
"6. ... If we are not able to contact a CA, *or* do not have current audit and policy documentation, then the CA's root certificates may be disabled or removed as described in the Enforcement Section of the Mozilla CA Certificate Policy"

~~~ Enforcement Policy ~~~
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html

* Add item #3:
"3. Mozilla will take any steps we deem appropriate to protect our users if we learn that a CA has knowingly or intentionally mis-issued one or more certificates. This may include, but is not limited to disablement (partially or fully) or removal of all of the CA's certificates from Mozilla's products. A certificate that includes domain names that have not been verified according to the CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be mis-issued. A certificate that is intended to be used only as an end entity certificate but includes a keyUsage extension with values keyCertSign and/or cRLSign or a basicConstraints extension with the cA field set to true is considered to be mis-issued.”
Flags: needinfo?(sstamm)
Flags: needinfo?(gerv)
Looks good to me.
Flags: needinfo?(sstamm)
Looks good to me too. Ship it :-)

Gerv
Flags: needinfo?(gerv)
Version 2.2 of the policy has been published.
www.mozilla.org/projects/security/certs/policy/

Descriptions of the changes, and timeframes for complying with them are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.2

A CA Communication about this update is currently in discussion in the mozilla.dev.security.policy forum, and will be sent soon.
https://wiki.mozilla.org/CA:Communications
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.