Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events relevant to their membership in our program and to remind them of upcoming deadlines. This CA Communication has been emailed to the Primary Point of Contact (POC) and an email alias for each CA in Mozilla’s program, and they have been asked to respond to the following 7 action items:
- Read and fully comply with version 2.7 of Mozilla’s Root Store Policy.
- Ensure that their CP and CPS complies with the updated policy section 3.3 requiring the proper use of “No Stipulation” and mapping of policy documents to CA certificates.
- Confirm their intent to comply with section 5.2 of Mozilla’s Root Store Policy requiring that new end-entity certificates include an EKU extension expressing their intended usage.
- Verify that their audit statements meet Mozilla’s formatting requirements that facilitate automated processing.
- Resolve issues with audits for intermediate CA certificates that have been identified by the automated audit report validation system.
- Confirm awareness of Mozilla’s Incident Reporting requirements and the intent to provide good incident reports.
- Confirm compliance with the current version of the CA/Browser Forum Baseline Requirements.
With this CA Communication, we reiterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.