{"id":2331,"date":"2018-07-02T09:00:19","date_gmt":"2018-07-02T16:00:19","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2331"},"modified":"2019-07-25T13:48:29","modified_gmt":"2019-07-25T20:48:29","slug":"root-store-policy-updated","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/","title":{"rendered":"Root Store Policy Updated"},"content":{"rendered":"<p>After several months of discussion on the <a href=\"https:\/\/lists.mozilla.org\/listinfo\/dev-security-policy\">mozilla.dev.security.policy mailing list<\/a>, our <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\">Root Store Policy<\/a> governing Certification Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.6 has an effective date of July 1st, 2018.<\/p>\n<p>More than one dozen <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/issues?&amp;q=label%3A2.6+\">issues<\/a> were addressed in this update, including the following changes:<\/p>\n<ul>\n<li>Section 2.2 \u201cValidation Practices\u201d now requires CAs with the email trust bit to clearly disclose their email address validation methods in their CP\/CPS.<\/li>\n<li>The use of IP Address validation methods defined by the CA has been banned in certain circumstances.<\/li>\n<li>Methods used for IP Address validation must now be clearly specified in the CA\u2019s CP\/CPS.<\/li>\n<li>Section 3.1 \u201cAudits\u201d increases the WebTrust EV minimum version to 1.6.0 and removes ETSI TS 102 042 and 101 456 from the list of acceptable audit schemes in favor of EN 319 411.<\/li>\n<li>Section 3.1.4 \u201cPublic Audit Information\u201d formalizes the requirement for an English language version of the audit statement supplied by the Auditor.<\/li>\n<li>Section 5.2 \u201cForbidden and Required Practices\u201d moves the <a href=\"https:\/\/wiki.mozilla.org\/CA\/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files\">existing<\/a> ban on CA key pair generation for SSL certificates into our policy.<\/li>\n<li>After January 1, 2019, CAs will be required to create separate intermediate certificates for issuing SSL and S\/MIME certificates. Newly issued Intermediate certificates will need to be restricted with an EKU extension that doesn\u2019t contain anyExtendedKeyUsage, or both serverAuth and emailProtection. Intermediate certificates issued prior to 2019 that do not comply with this requirement may continue to be used to issue new end-entity certificates.<\/li>\n<li>Section 5.3.2 \u201cPublicly Disclosed and Audited\u201d clarifies that Mozilla expects newly issued intermediate certificates to be included on the CA\u2019s next periodic audit report. As long as the CA has current audits, no special audit is required when issuing a new intermediate. This matches the requirements in the <a href=\"https:\/\/cabforum.org\/baseline-requirements-documents\/\">CA\/Browser Forum\u2019s Baseline Requirements<\/a> (BR) section 8.1.<\/li>\n<li>Section 7.1 \u201cInclusions\u201d adds a requirement that roots being added to Mozilla\u2019s program must have complied with Mozilla\u2019s Root Store Policy from the time that they were created. This effectively means that roots in existence prior to 2014 that did not receive BR audits after 2013 are not eligible for inclusion in Mozilla\u2019s program. Roots with documented BR violations may also be excluded from Mozilla\u2019s root store under this policy.<\/li>\n<li>Section 8 \u201cCA Operational Changes\u201d now requires notification when an intermediate CA certificate is transferred to a third party.<\/li>\n<\/ul>\n<p>A comparison of all the policy changes is available <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/compare\/2.5...2.6\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After several months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certification Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.6 has &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/\">Read more<\/a><\/p>\n","protected":false},"author":1574,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[320076],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Root Store Policy Updated - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Wayne Thayer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/\",\"name\":\"Root Store Policy Updated - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-07-02T16:00:19+00:00\",\"dateModified\":\"2019-07-25T20:48:29+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Root Store Policy Updated\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\",\"name\":\"Wayne Thayer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"caption\":\"Wayne Thayer\"},\"sameAs\":[\"https:\/\/x.com\/wthayer\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Root Store Policy Updated - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/","twitter_misc":{"Written by":"Wayne Thayer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/","name":"Root Store Policy Updated - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-07-02T16:00:19+00:00","dateModified":"2019-07-25T20:48:29+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/07\/02\/root-store-policy-updated\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Root Store Policy Updated"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a","name":"Wayne Thayer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a","url":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","caption":"Wayne Thayer"},"sameAs":["https:\/\/x.com\/wthayer"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2331"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1574"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2331"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2331\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2331"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}