Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.
The CA Communication has been emailed to the Primary Point of Contact (POC) for each CA in Mozilla’s program, and they have been asked to respond to 5 action items:
- Confirm that they are the current Primary POC, or give alternative details;
- Confirm that Mozilla has the correct link to their most recent Baseline Requirements audit statement;
- Update us on their progress in eliminating use of SHA-1 as a certificate signature algorithm;
- Inform us whether they are still issuing certificates with certain problems identified when we moved to mozilla::pkix; and
- Tell us about their support for IPv6.
The full action items can be read here. Responses to the survey will be collated using Salesforce and the answers published in June.
With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.
Mozilla Security Team
enric
wrote on