Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies and open-source projects in a variety of applications.
The CA Communication has been emailed to the Primary Point of Contact (POC) for each CA in Mozilla’s program, and they have been asked to respond to 7 action items:
- Update us on their progress in eliminating use of SHA-1 as a certificate signature algorithm;
- Enter intermediate certificate data into the CA Community in Salesforce;
- Enter revoked intermediate certificate data into the CA Community in Salesforce;
- Stop issuing certificates with the problems listed here, because we are going to remove the workarounds from mozilla::pkix;
- Tell us their plans for removing root certificates that they have retired or are migrating their customers away from;
- Confirm their understanding that all certificates, including test certificates, must conform to Mozilla’s stated policies; and
- Update us on changes involving transfer of ownership of root certificates, according to our Root Transfer Policy.
The full action items can be read here. Responses to the survey will be automatically and immediately published using Salesforce.
With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.