{"id":2234,"date":"2017-09-07T15:07:33","date_gmt":"2017-09-07T22:07:33","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2234"},"modified":"2017-09-07T15:07:33","modified_gmt":"2017-09-07T22:07:33","slug":"mozilla-releases-version-2-5-root-store-policy","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/","title":{"rendered":"Mozilla Releases Version 2.5 of Root Store Policy"},"content":{"rendered":"<p>Recently, Mozilla released version 2.5 of our <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" target=\"_blank\">Root Store Policy<\/a>, which continues our efforts to improve standards and reinforce public trust in the security of the Web. We are grateful to all those in the security and Certificate Authority (CA) communities who contributed constructively to the discussions surrounding the new provisions.<\/p>\n<p>The changes of greatest note in version 2.5 of our Root Store Policy are as follows:<\/p>\n<ul>\n<li>CAs are required to follow industry best practice for securing their networks, for example by conforming to the CA\/Browser Forum\u2019s <a href=\"https:\/\/cabforum.org\/network-security\/\" target=\"_blank\">Network Security Guidelines<\/a> or a successor document.<\/li>\n<li>CAs are required to use only those methods of domain ownership validation which are specifically documented in the CA\/Browser Forum\u2019s <a href=\"https:\/\/cabforum.org\/wp-content\/uploads\/CA-Browser-Forum-BR-1.4.1.pdf\" target=\"_blank\">Baseline Requirements version 1.4.1<\/a>.<\/li>\n<li>Additional requirements were added for intermediate certificates that are used to sign certificates for S\/MIME. In particular, such intermediate certificates must be name constrained in order to be considered technically-constrained and exempt from being audited and disclosed on the <a href=\"http:\/\/ccadb.org\/\" target=\"_blank\">Common CA Database<\/a>. <\/li>\n<li>Clarified that point-in-time audit statements do not replace the required period-of-time assessments. Mozilla continues to require full-surveillance period-of-time audits that must be conducted annually, and successive audit periods must be contiguous.<\/li>\n<li>Clarified the information that must be provided in each audit statement, including the distinguished name and SHA-256 fingerprint for each root and intermediate certificate in scope of the audit.<\/li>\n<li>CAs are required to follow and be aware of discussions in the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/forums\/#dev-security-policy\" target=\"_blank\">mozilla.dev.security.policy forum<\/a>, where Mozilla&#8217;s root program is coordinated, although they are not required to participate. <\/li>\n<li>CAs are required at all times to operate in accordance with the applicable Certificate Policy (CP) and Certificate Practice Statement (CPS) documents, which must be reviewed and updated at least once every year.<\/li>\n<li>Our policy on root certificates being transferred from one organization or location to another has been updated and included in the main policy. Trust is not transferable; Mozilla will not automatically trust the purchaser of a root certificate to the level it trusted the previous owner.<\/li>\n<\/ul>\n<p>The differences between versions <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/compare\/2.4.1...2.5\" target=\"_blank\">2.5 and 2.4.1<\/a> may be viewed on <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/\" target=\"_blank\">Github<\/a>. (Version 2.4.1 contained exactly the same normative requirements as <a href=\"https:\/\/blog.mozilla.org\/security\/2017\/04\/04\/mozilla-releases-version-2-4-ca-certificate-policy\/\" target=\"_blank\">version 2.4<\/a> but was completely reorganized.)<\/p>\n<p>As always, we re-iterate that participation in <a href=\"https:\/\/wiki.mozilla.org\/CA\" target=\"_blank\">Mozilla\u2019s CA Certificate Program<\/a> is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, Mozilla released version 2.5 of our Root Store Policy, which continues our efforts to improve standards and reinforce public trust in the security of the Web. We are grateful &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla Releases Version 2.5 of Root Store Policy - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/\",\"name\":\"Mozilla Releases Version 2.5 of Root Store Policy - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2017-09-07T22:07:33+00:00\",\"dateModified\":\"2017-09-07T22:07:33+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla Releases Version 2.5 of Root Store Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla Releases Version 2.5 of Root Store Policy - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/","url":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/","name":"Mozilla Releases Version 2.5 of Root Store Policy - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2017-09-07T22:07:33+00:00","dateModified":"2017-09-07T22:07:33+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2017\/09\/07\/mozilla-releases-version-2-5-root-store-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mozilla Releases Version 2.5 of Root Store Policy"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2234"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2234"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2234\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2234"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}