{"id":2265,"date":"2017-11-16T12:46:33","date_gmt":"2017-11-16T20:46:33","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2265"},"modified":"2017-11-16T12:46:33","modified_gmt":"2017-11-16T20:46:33","slug":"november-2017-ca-communication","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/","title":{"rendered":"November 2017 CA Communication"},"content":{"rendered":"<p>Mozilla has sent a <a href=\"https:\/\/wiki.mozilla.org\/CA\/Communications#November_2017_CA_Communication\" rel=\"noopener\" target=\"_blank\">CA Communication<\/a> to inform <a href=\"https:\/\/en.wikipedia.org\/wiki\/Certificate_authority\" rel=\"noopener\" target=\"_blank\">Certificate Authorities (CAs)<\/a> who have root certificates <a href=\"https:\/\/wiki.mozilla.org\/CA\/Included_Certificates\" rel=\"noopener\" target=\"_blank\">included in Mozilla\u2019s program<\/a> about Mozilla\u2019s expectations regarding version 2.5 of <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" rel=\"noopener\" target=\"_blank\">Mozilla\u2019s Root Store Policy<\/a>, annual CA updates, and actions the CAs need to take. This CA Communication has been emailed to the <a href=\"https:\/\/wiki.mozilla.org\/CA\/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29\" rel=\"noopener\" target=\"_blank\">Primary Point of Contact (POC)<\/a> and an <a href=\"http:\/\/ccadb.org\/policy#2-contact-information\" rel=\"noopener\" target=\"_blank\">email alias<\/a> for <a href=\"https:\/\/wiki.mozilla.org\/CA\/Included_CAs\" rel=\"noopener\" target=\"_blank\">each CA in Mozilla\u2019s program<\/a>, and they have been asked to respond to the following 8 action items:<\/p>\n<ol>\n<li>Review version 2.5 of <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\" rel=\"noopener\" target=\"_blank\">Mozilla&#8217;s Root Store Policy<\/a>, and update the CA\u2019s CP\/CPS documents as needed to become fully compliant.\n<\/li>\n<li>Confirm understanding that non-technically-constrained intermediate certificates must be <a href=\"http:\/\/ccadb.org\/cas\/intermediates\" rel=\"noopener\" target=\"_blank\">disclosed in the Common CA Database (CCADB)<\/a> within one week of creation, and of new requirements for <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#technically-constrained\" rel=\"noopener\" target=\"_blank\">technical constraints on intermediate certificates issuing S\/MIME certificates<\/a>.\n<\/li>\n<li>Confirm understanding that annual updates (audits, CP, CPS, test websites) are to be provided via <a href=\"http:\/\/ccadb.org\/cas\/updates\" rel=\"noopener\" target=\"_blank\">Audit Cases in the CCADB<\/a>.\n<\/li>\n<li>Confirm understanding that audit statements that are not in English and do not contain all of the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#public-audit-information\" rel=\"noopener\" target=\"_blank\">required information<\/a> will be rejected by Mozilla, and may result in the CA\u2019s root certificate(s) being removed from our program.\n<\/li>\n<li>Perform a <a href=\"https:\/\/wiki.mozilla.org\/CA\/BR_Self-Assessment\" rel=\"noopener\" target=\"_blank\">BR Self Assessment<\/a> and send it to Mozilla. This self assessment must cover the CA Hierarchies (and all of the corresponding CP\/CPS documents) that chain up to their CA&#8217;s root certificates that are <a href=\"https:\/\/wiki.mozilla.org\/CA\/Included_Certificates\" rel=\"noopener\" target=\"_blank\">included in Mozilla&#8217;s root store<\/a> and enabled for server authentication (Websites trust bit).\n<\/li>\n<li>Provide a tested email address for the CA\u2019s <a href=\"https:\/\/ccadb-public.secure.force.com\/mozilla\/CAInformationReport\" rel=\"noopener\" target=\"_blank\">Problem Reporting Mechanism<\/a>.\n<\/li>\n<li>Follow new developments and effective dates for <a href=\"https:\/\/tools.ietf.org\/html\/rfc6844\" rel=\"noopener\" target=\"_blank\">Certification Authority Authorization (CAA)<\/a>\n<\/li>\n<li>Check <a href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/4kj8Jeem0EU\/GvqsgIzSAAAJ\" rel=\"noopener\" target=\"_blank\">issuance of certs to .tg domains<\/a> between October 25 and November 11, 2017.\n<\/li>\n<\/ol>\n<p>The full action items can be read <a href=\"https:\/\/wiki.mozilla.org\/CA\/Communications#November_2017_CA_Communication\" rel=\"noopener\" target=\"_blank\">here<\/a>. Responses to the survey will be automatically and immediately <a href=\"https:\/\/wiki.mozilla.org\/CA\/Communications#November_2017_Responses\" rel=\"noopener\" target=\"_blank\">published by the CCADB<\/a>.<\/p>\n<p>With this CA Communication, we re-iterate that participation in Mozilla\u2019s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla\u2019s program about Mozilla\u2019s expectations regarding version 2.5 of Mozilla\u2019s Root Store Policy, &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>November 2017 CA Communication - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/\",\"name\":\"November 2017 CA Communication - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2017-11-16T20:46:33+00:00\",\"dateModified\":\"2017-11-16T20:46:33+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"November 2017 CA Communication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"November 2017 CA Communication - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/","url":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/","name":"November 2017 CA Communication - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2017-11-16T20:46:33+00:00","dateModified":"2017-11-16T20:46:33+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2017\/11\/16\/november-2017-ca-communication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"November 2017 CA Communication"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2265"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2265"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2265\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2265"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}