{"id":2733,"date":"2021-04-26T12:00:45","date_gmt":"2021-04-26T19:00:45","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2733"},"modified":"2021-04-26T12:59:02","modified_gmt":"2021-04-26T19:59:02","slug":"mrsp-v-2-7-1","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/","title":{"rendered":"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1"},"content":{"rendered":"<p>Individuals\u2019 security and privacy on the internet are fundamental. Living up to that principle we are announcing the following changes to <a href=\"https:\/\/www.mozilla.org\/projects\/security\/certs\/policy\/\">Mozilla\u2019s Root Store Policy<\/a> (MRSP) which will come into effect on May 1, 2021.<\/p>\n<p>These updates to the Root Store Policy will not only improve our compliance monitoring, but also improve Certificate Authority (CA) practices and reduce the number of errors that CAs make when they issue new certificates. As a result, these updates contribute to a healthy security ecosystem on the internet and will enhance security and privacy to all internet users.<\/p>\n<p>Living up to our mission and truly working in the open source community has led, after <a href=\"https:\/\/groups.google.com\/g\/mozilla.dev.security.policy\/search?q=%22policy%202.7.1%22\">weeks of public exchange<\/a>, to the following\u00a0<a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/issues?q=is%3Aclosed+label%3A2.7.1+\">improvements to the MRSP<\/a>. Please find a detailed comparison of the policy changes <a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/pull\/223\/files\">here<\/a> &#8211; summing it up:<\/p>\n<ul>\n<li aria-level=\"1\">Beginning on October 1, 2021, CAs must verify domain names and IP addresses within 398 days prior to certificate issuance. (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#21-ca-operations\">MRSP \u00a7 2.1<\/a>)<\/li>\n<li aria-level=\"1\">Clarified that EV audits are required for root and intermediate certificates that are <a href=\"https:\/\/wiki.mozilla.org\/CA\/EV_Processing_for_CAs#EV_TLS_Capable\">capable of issuing EV certificates<\/a>, rather than being based on CA intentions. \u00a0(<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#312-required-audits\">MRSP \u00a7 3.1.2<\/a>)<\/li>\n<li aria-level=\"1\">Clearly specified that annual audit statements are required &#8220;cradle-to-grave&#8221; &#8211; from CA key pair generation until the root certificate is no longer trusted by Mozilla\u2019s root store. (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#313-audit-parameters\">MRSP \u00a7 3.1.3<\/a>)<\/li>\n<li aria-level=\"1\">Added a requirement that <a href=\"https:\/\/wiki.mozilla.org\/CA\/Audit_Statements#Auditor_Qualifications\">audit team qualifications<\/a> be provided when audit statements are provided. (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#32-auditors\">MRSP \u00a7 3.2<\/a>)<\/li>\n<li aria-level=\"1\">Specified that Audit Reports must now include a list of <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#24-incidents\">incidents<\/a>, and also indicate which <a href=\"https:\/\/wiki.mozilla.org\/CA\/Audit_Statements#Audited_Locations\">CA locations were and were not audited<\/a> (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#314-public-audit-information\">MRSP \u00a7 3.1.4<\/a> items 11 and 12).<\/li>\n<li aria-level=\"1\">Clarified when a certificate is deemed to directly or transitively chain to a CA certificate included in Mozilla\u2019s program, which affects when the CA must provide audit statements for the certificate. (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#53-intermediate-certificates\">MRSP \u00a7 5.3<\/a>)<\/li>\n<li aria-level=\"1\">Added a requirement that Section 4.9.12 of a CA&#8217;s CP\/CPS MUST clearly specify the methods that may be used to demonstrate private key compromise. (<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/#6-revocation\">MRSP \u00a7 6<\/a>)<\/li>\n<\/ul>\n<p>Many of these changes will result in updates and improvements in the processes of CAs and auditors and cause them to revise their practices. To ease transition, Mozilla has sent a<a href=\"https:\/\/wiki.mozilla.org\/CA\/Communications\"> CA Communication<\/a> to alert CAs about these changes. We also sent CAs a survey asking them to indicate when they will be able to reach full compliance with this version of the MRSP.<\/p>\n<p>In summary, updating the Root Store Policy improves the security ecosystem on the internet and the quality of every <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTPS\">HTTPS<\/a> connection, thus helping to keep your information private and secure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Individuals\u2019 security and privacy on the internet are fundamental. Living up to that principle we are announcing the following changes to Mozilla\u2019s Root Store Policy (MRSP) which will come into &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/\">Read more<\/a><\/p>\n","protected":false},"author":1800,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[45506,45515,45514],"coauthors":[452979],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1 - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"Mozilla has amended its Root Store Policy with CA requirements that improve the security and privacy of Firefox users.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/\",\"name\":\"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1 - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2021-04-26T19:00:45+00:00\",\"dateModified\":\"2021-04-26T19:59:02+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/567811235606b64dd0f242f33d73296e\"},\"description\":\"Mozilla has amended its Root Store Policy with CA requirements that improve the security and privacy of Firefox users.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/567811235606b64dd0f242f33d73296e\",\"name\":\"Ben Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/41743ae2317d18057bd67baef8923420\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/01529deaafc1a9fb5aa0a376a7bea560?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/01529deaafc1a9fb5aa0a376a7bea560?s=96&d=identicon&r=g\",\"caption\":\"Ben Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1 - Mozilla Security Blog","description":"Mozilla has amended its Root Store Policy with CA requirements that improve the security and privacy of Firefox users.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/","twitter_misc":{"Written by":"Ben Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/","name":"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1 - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2021-04-26T19:00:45+00:00","dateModified":"2021-04-26T19:59:02+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/567811235606b64dd0f242f33d73296e"},"description":"Mozilla has amended its Root Store Policy with CA requirements that improve the security and privacy of Firefox users.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/04\/26\/mrsp-v-2-7-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Upgrading Mozilla\u2019s Root Store Policy to Version 2.7.1"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/567811235606b64dd0f242f33d73296e","name":"Ben Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/41743ae2317d18057bd67baef8923420","url":"https:\/\/secure.gravatar.com\/avatar\/01529deaafc1a9fb5aa0a376a7bea560?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/01529deaafc1a9fb5aa0a376a7bea560?s=96&d=identicon&r=g","caption":"Ben Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2733"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1800"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2733"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2733\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2733"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}