Categories: CA Program Security

Announcing Version 2.2 of Mozilla’s CA Certificate Policy

Mozilla released version 2.2 of the Mozilla CA Certificate Policy and sent a CA Communication to inform CAs of the changes. This update and communication was motivated by security concerns regarding ICANN granting applied-for new gTLD strings. This policy update also emphasizes that there will be serious consequences if it is found that a CA has knowingly or intentionally mis-issued certificates chaining to trust anchors in Mozilla’s program.

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.

Version 2.2 of Mozilla’s CA Certificate Policy requires CAs who issue publicly trusted SSL certificates to comply with version 1.1.5 of the CA/Browser Forum’s Baseline Requirements. In particular, Mozilla’s CA Communication requests that CAs update their operations and policies to include the CA/Browser Forum’s Baseline Requirement #11.1.4 regarding new gTLD domains, and subscribe to ICANN’s new gTLD Registry Agreement notification mailing list.

The Enforcement section of version 2.2 of Mozilla’s CA Certificate Policy was updated to address a specific concern that CAs may be compelled (e.g. by a government) to mis-issue one or more certificates. While Mozilla’s policy already states that Mozilla may take any steps we deem appropriate to protect our users, the additional policy clarifies that knowing or intentionally mis-issuing a certificate may result in disablement or removal of all of the CA’s certificates from Mozilla’s products.

In the CA Communication Mozilla announced an effort to improve how revocation checking is handled in Firefox, and encouraged CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates to be included in a revocation list push mechanism that is in development.

With this policy update and CA Communication, we re-iterate our belief that each CA who is included in Mozilla’s program is ultimately accountable for every certificate it issues, directly or through its subordinate CAs. Participation in Mozilla’s CA program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them. Nevertheless, we believe that security is best served when browsers and CAs can work together; we hope that frank communication and clear expectations can resolve these issues before any such action is required. We must also be diligent in looking for new ways to improve the security systems of the web. Those systems are built on the trust of web users, and we all have a responsibility to be strong stewards of that trust.

Mozilla Security Team