{"id":1681,"date":"2014-05-13T15:27:11","date_gmt":"2014-05-13T22:27:11","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1681"},"modified":"2016-09-30T02:52:00","modified_gmt":"2016-09-30T09:52:00","slug":"checking-compliance-status-with-updated-ca-certificate-policy","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/","title":{"rendered":"Checking Compliance Status with Updated CA Certificate Policy"},"content":{"rendered":"<p>In early 2013 Mozilla released <a title=\"Version 2.1 of CA Policy\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/02\/15\/announcing-version-2-1-of-mozilla-ca-certificate-policy\/\" target=\"_blank\">version 2.1<\/a> of <a title=\"Mozilla's CA Certificate Policy\" href=\"http:\/\/www.mozilla.org\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Mozilla&#8217;s CA Certificate Policy<\/a>, which added a requirement for either the technical constraint or the audit of subordinate CA certificates, and requires CAs who issue SSL certificates to comply with the <a title=\"Baseline Requirements\" href=\"https:\/\/cabforum.org\/about-the-baseline-requirements\/\" target=\"_blank\">CA\/Browser Forum Baseline Requirements<\/a>. Then, in July, we updated Mozilla\u2019s CA Certificate <a title=\"Mozilla's CA Enforcement Policy\" href=\"http:\/\/www.mozilla.org\/about\/governance\/policies\/security-group\/certs\/policy\/enforcement\/\" target=\"_blank\">Enforcement Policy<\/a> to make it clear that Mozilla will not tolerate misuse of publicly trusted certificates. CAs were given a <a title=\"Grace Periods\" href=\"https:\/\/wiki.mozilla.org\/CA:CertificatePolicyV2.1\" target=\"_blank\">grace period<\/a> of just over one year to comply with the changes introduced in version 2.1 of the policy. So, today we sent an email to all Certificate Authorities (CAs) in Mozilla\u2019s CA program to check on their progress.<\/p>\n<p>The communication includes the following 5 action items for CAs.<\/p>\n<ol>\n<li>Ensure that Mozilla\u2019s <a title=\"Mozilla's Included CAs\" href=\"http:\/\/www.mozilla.org\/about\/governance\/policies\/security-group\/certs\/included\/\" target=\"_blank\">spreadsheet of included root certificates<\/a> has the correct link to your most recent audit statement, and that the date of the audit statement is correct.<\/li>\n<li>Send Mozilla the link to your most recent Baseline Requirements audit statement.<\/li>\n<li>Test Mozilla&#8217;s <a title=\"mozilla::pkix Announcement\" href=\"https:\/\/blog.mozilla.org\/security\/2014\/04\/24\/exciting-updates-to-certificate-verification-in-gecko\/\" target=\"_blank\">new Certificate Verification library<\/a> with your CA hierarchies and inform your customers of the upcoming changes as needed.<\/li>\n<li>Check your certificate issuance to confirm that no new certificates will be issued with the problems listed <a title=\"Things for CAs to Fix\" href=\"https:\/\/wiki.mozilla.org\/SecurityEngineering\/mozpkix-testing#Things_for_CAs_to_Fix\" target=\"_blank\">here<\/a>.<\/li>\n<li>Send Mozilla information about your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla&#8217;s CA program, as per Items #8, 9, and 10 of Mozilla&#8217;s CA Certificate <a title=\"Mozilla's CA Inclusion Policy\" href=\"http:\/\/www.mozilla.org\/about\/governance\/policies\/security-group\/certs\/policy\/inclusion\/\" target=\"_blank\">Inclusion Policy<\/a>.<\/li>\n<\/ol>\n<p>The full CA Communication is available <a title=\"CA Communication\" href=\"https:\/\/wiki.mozilla.org\/CA:Communications#May_13.2C_2014\" target=\"_blank\">here<\/a>, and responses will be tabulated <a title=\"CA Responses, May 2014\" href=\"https:\/\/wiki.mozilla.org\/CA:Communications#May_2014_Responses\" target=\"_blank\">here<\/a>.<\/p>\n<p>We closed the communication by re-iterating that participation in Mozilla&#8217;s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.<\/p>\n<p>Mozilla Security Engineering Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In early 2013 Mozilla released version 2.1 of Mozilla&#8217;s CA Certificate Policy, which added a requirement for either the technical constraint or the audit of subordinate CA certificates, and requires &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Checking Compliance Status with Updated CA Certificate Policy - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/\",\"name\":\"Checking Compliance Status with Updated CA Certificate Policy - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2014-05-13T22:27:11+00:00\",\"dateModified\":\"2016-09-30T09:52:00+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Checking Compliance Status with Updated CA Certificate Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Checking Compliance Status with Updated CA Certificate Policy - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/","url":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/","name":"Checking Compliance Status with Updated CA Certificate Policy - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2014-05-13T22:27:11+00:00","dateModified":"2016-09-30T09:52:00+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2014\/05\/13\/checking-compliance-status-with-updated-ca-certificate-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Checking Compliance Status with Updated CA Certificate Policy"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1681"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1681"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1681\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1681"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}