Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events related to domain validation for SSL certificates and to remind them of a number of upcoming deadlines. This CA Communication has been emailed to the Primary Point of Contact (POC) and an email alias for each CA in Mozilla’s program, and they have been asked to respond to the following 6 action items:
- Disclose Use of Baseline Requirements Methods 188.8.131.52.9 or 184.108.40.206.10 for Domain Validation – Recently discovered vulnerabilities in these methods of domain validation have led Mozilla to require CAs to disclose their use of these methods and to describe how they have mitigated these vulnerabilities.
- Disclose Use of Methods 220.127.116.11.1 or 18.104.22.168.5 for Domain Validation – Significant concerns were recently raised about the reliability of these methods that are defined in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
- Disclose All Non-Technically-Constrained Subordinate CA Certificates – CAs have until April 15, 2018 to disclose all non-technically constrained subordinate CA certificates – including subordinate CA certificates that are constrained via EKU to S/MIME but do not have Name Constraints – as required by version 2.5 of Mozilla’s Root Store Policy.
- Complete BR Self Assessment – Mozilla has asked all CAs to complete a Baseline Requirements Self-Assessment by January 31, 2018, or by April 15, 2018 if an extension was requested.
- Update CP/CPS to Comply with version 2.5 of Mozilla’s Root Store Policy – In the November 2017 CA Communication, a number of CAs indicated that their CP/CPS does not yet comply with version 2.5 of the Mozilla Root Store Policy. The deadline for compliance has been extended to April 15, 2018.
- Reduce SSL Certificate Validity Periods to 825 Days or Less by March 1, 2018 – On March 17, 2017, in ballot 193, the CA/Browser Forum set a deadline of March 1, 2018 after which newly-issued SSL certificates must not have a validity period greater than 825 days, and the re-use of validation information must be limited to 825 days.
With this CA Communication, we reiterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.
Mozilla Security Team