{"id":2197,"date":"2017-04-04T13:10:17","date_gmt":"2017-04-04T20:10:17","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2197"},"modified":"2017-04-04T13:10:17","modified_gmt":"2017-04-04T20:10:17","slug":"mozilla-releases-version-2-4-ca-certificate-policy","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/","title":{"rendered":"Mozilla Releases Version 2.4 of CA Certificate Policy"},"content":{"rendered":"<p>Mozilla has released version 2.4.1 of <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Policy<\/a> and sent a <a href=\"https:\/\/wiki.mozilla.org\/CA:Communications#April_2017\" target=\"_blank\">CA Communication<\/a> to inform <a href=\"https:\/\/wiki.mozilla.org\/CA:FAQ#What_are_CAs.3F\" target=\"_blank\">Certification Authorities (CAs)<\/a> who have root certificates <a href=\"https:\/\/wiki.mozilla.org\/CA:IncludedCAs\" target=\"_blank\">included in Mozilla\u2019s program<\/a> about new program requirements. Mozilla\u2019s CA Certificate Program governs inclusion of root certificates in <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Projects\/NSS\" target=\"_blank\">Network Security Services (NSS)<\/a>, a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies and open-source projects in a variety of applications.<\/p>\n<p>The changes of note in <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Policy<\/a> are as follows:<\/p>\n<ul>\n<li>In addition to audit statements, the CP and CPS documents need to be submitted to Mozilla each year.<\/li>\n<li>As of June 1, 2017, the audit, CP, and CPS documents must be provided in English, translated if necessary.<\/li>\n<li>All submitted documentation must be openly licensed (see the policy for the exact options and terms).<\/li>\n<li>Version 2.4 of Mozilla&#8217;s CA Certificate Policy incorporates by reference the <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/blob\/2.4.1\/ccadb\/policy.md\" target=\"_blank\">Common CCADB Policy<\/a> and the <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/blob\/2.4.1\/ccadb\/mozilla.md\" target=\"_blank\">Mozilla CCADB Policy<\/a>.<\/li>\n<li>The new <a href=\"https:\/\/wiki.mozilla.org\/CA:CommonCADatabase\" target=\"_blank\">Common CA Database (CCADB)<\/a> Policy makes official a number of existing expectations regarding the CCADB.<\/li>\n<li>The applicable versions of some audit criteria have been updated.<\/li>\n<li>There are additional requirements on OCSP responses.<\/li>\n<li>64 bits of entropy is required in certificate serial numbers.<\/li>\n<\/ul>\n<p>The differences in <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Policy<\/a> between <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/compare\/2.3...2.4\" target=\"_blank\">versions 2.4 and 2.3<\/a> (published December 2016), and between <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/compare\/2.2...2.4\" target=\"_blank\">versions 2.4 and 2.2<\/a> (published July 2013) may be viewed on <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/\" target=\"_blank\">Github<\/a>. Version 2.4.1 contains exactly the same normative requirements as version 2.4 but has been completely reorganized. <\/p>\n<p>The <a href=\"https:\/\/wiki.mozilla.org\/CA:Communications#April_2017\" target=\"_blank\">CA Communication<\/a> has been emailed to the <a href=\"https:\/\/wiki.mozilla.org\/CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29\" target=\"_blank\">Primary Point of Contact (POC)<\/a> for each CA in Mozilla\u2019s program, and they have been asked to respond to 14 action items. The full set of action items can be read <a href=\"https:\/\/wiki.mozilla.org\/CA:Communications#April_2017\" target=\"_blank\">here<\/a>. Responses to the survey will be <a href=\"https:\/\/wiki.mozilla.org\/CA:Communications#April_2017_Responses\" target=\"_blank\">automatically and immediately published<\/a> via the Common CA Database.<\/p>\n<p>In addition to responding to the action items, we are informing CAs that we are instituting a program requirement that they follow discussions in the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/forums\/#dev-security-policy\" target=\"_blank\">mozilla.dev.security.policy<\/a> forum, which includes discussions about upcoming changes to <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Mozilla&#8217;s CA Certificate Policy<\/a>, questions and clarification about policy and expectations, <a href=\"https:\/\/wiki.mozilla.org\/CA\" target=\"_blank\">root certificate inclusion\/change requests<\/a>, and certificates that are found to be non-compliant with the <a href=\"https:\/\/cabforum.org\/baseline-requirements-documents\/\" target=\"_blank\">CA\/Browser Forum&#8217;s Baseline Requirements<\/a> or other program requirements. CAs are not required to contribute to those discussions, only to be aware of them. However, we hope CAs will participate and help shape the future of Mozilla&#8217;s CA Certificate Program. <\/p>\n<p>With this <a href=\"https:\/\/wiki.mozilla.org\/CA:Communications#April_2017\" target=\"_blank\">CA Communication<\/a>, we re-iterate that participation in Mozilla\u2019s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla has released version 2.4.1 of Mozilla\u2019s CA Certificate Policy and sent a CA Communication to inform Certification Authorities (CAs) who have root certificates included in Mozilla\u2019s program about new &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla Releases Version 2.4 of CA Certificate Policy - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\",\"name\":\"Mozilla Releases Version 2.4 of CA Certificate Policy - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2017-04-04T20:10:17+00:00\",\"dateModified\":\"2017-04-04T20:10:17+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla Releases Version 2.4 of CA Certificate Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla Releases Version 2.4 of CA Certificate Policy - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/","url":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/","name":"Mozilla Releases Version 2.4 of CA Certificate Policy - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2017-04-04T20:10:17+00:00","dateModified":"2017-04-04T20:10:17+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mozilla Releases Version 2.4 of CA Certificate Policy"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2197"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2197"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2197\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2197"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}