{"id":1325,"date":"2013-07-31T08:18:26","date_gmt":"2013-07-31T15:18:26","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1325"},"modified":"2016-09-30T02:52:43","modified_gmt":"2016-09-30T09:52:43","slug":"announcing-version-2-2-of-mozillas-ca-certificate-policy","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/","title":{"rendered":"Announcing Version 2.2 of Mozilla’s CA Certificate Policy"},"content":{"rendered":"

Mozilla released version 2.2 of the Mozilla CA Certificate Policy<\/a> and sent a CA Communication<\/a> to inform CAs of the changes. This update and communication was motivated by security concerns regarding ICANN granting applied-for new gTLD strings.<\/a> This policy update also emphasizes that there will be serious consequences if it is found that a CA has knowingly or intentionally mis-issued certificates chaining to trust anchors in Mozilla\u2019s program.<\/p>\n

Mozilla\u2019s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS),<\/a> a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.<\/p>\n

Version 2.2 of Mozilla\u2019s CA Certificate Policy<\/a> requires CAs who issue publicly trusted SSL certificates to comply with version 1.1.5 of the CA\/Browser Forum\u2019s Baseline Requirements.<\/a> In particular, Mozilla\u2019s CA Communication requests that CAs update their operations and policies to include the CA\/Browser Forum\u2019s Baseline Requirement #11.1.4 regarding new gTLD domains, and subscribe to ICANN\u2019s new gTLD Registry Agreement notification mailing list.<\/a><\/p>\n

The Enforcement section<\/a> of version 2.2 of Mozilla\u2019s CA Certificate Policy was updated to address a specific concern that CAs may be compelled (e.g. by a government) to mis-issue one or more certificates. While Mozilla\u2019s policy already states that Mozilla may take any steps we deem appropriate to protect our users, the additional policy clarifies that knowing or intentionally mis-issuing a certificate may result in disablement or removal of all of the CA’s certificates from Mozilla’s products.<\/p>\n

In the CA Communication<\/a> Mozilla announced an effort to improve how revocation checking is handled in Firefox,<\/a> and encouraged CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates to be included in a revocation list push mechanism that is in development.<\/p>\n

With this policy update<\/a> and CA Communication,<\/a> we re-iterate our belief that each CA who is included in Mozilla\u2019s program is ultimately accountable for every certificate it issues, directly or through its subordinate CAs. Participation in Mozilla\u2019s CA program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them. Nevertheless, we believe that security is best served when browsers and CAs can work together; we hope that frank communication and clear expectations can resolve these issues before any such action is required. We must also be diligent in looking for new ways to improve the security systems of the web. Those systems are built on the trust of web users, and we all have a responsibility to be strong stewards of that trust.<\/p>\n

Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"

Mozilla released version 2.2 of the Mozilla CA Certificate Policy and sent a CA Communication to inform CAs of the changes. This update and communication was motivated by security concerns … Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"\nAnnouncing Version 2.2 of Mozilla's CA Certificate Policy - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/\",\"name\":\"Announcing Version 2.2 of Mozilla's CA Certificate Policy - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2013-07-31T15:18:26+00:00\",\"dateModified\":\"2016-09-30T09:52:43+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Announcing Version 2.2 of Mozilla’s CA Certificate Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Announcing Version 2.2 of Mozilla's CA Certificate Policy - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/","name":"Announcing Version 2.2 of Mozilla's CA Certificate Policy - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2013-07-31T15:18:26+00:00","dateModified":"2016-09-30T09:52:43+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/31\/announcing-version-2-2-of-mozillas-ca-certificate-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Announcing Version 2.2 of Mozilla’s CA Certificate Policy"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1325"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1325"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1325\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1325"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}