All,
Independent from the issues actually discussed I have a general concern.
Mozilla sent a communication to all rootCAs which includes a couple of clear requirements. A lot of them were either discussed longish in public or announced in some other way (e.g. recommended practice).
There are CAs spending time and effort following (or even participating) the discussions and the vendor's root programs. From my perspective a included rootCA should at least have a look at this regularly (AFAIK this is already a requirement of Mozilla's program).
I can say that at least for T-Systems it took a lot of time and effort to work on all those items to fulfill the requirements (for some even before the communication was sent). Recognizing the various answers and looking at the following discussion one may ask whether there are cases where some understand those items more than a "first draft for a negotiation" rather than requirements. (I'm trying to find a very very carefully wording here). To be honest, I already had to argue against this argumentation :-S
My concern is, that this procedure will lead to more and more people generally saying "we need more time" or "we cannot fulfill this at all" and wait what the next offer for a weaker compromise will be.
To get this clear - I recognize and absolutely appreciate that Kathleen is taking the CAs' concerns always very seriously and that she always try to find a way both Mozilla and the CAs can live with.
As said at the beginning, this is not regarding dedicated exceptions or whatever. I absolutely understand that there are special situations needing some kind of exceptions, grandfathering or things like that.
As usually: Just my 5 cents :-)
Best regards,
Carsten
Carsten Dahlenkamp
T-Systems International GmbH
Trust Center Applications
Untere Industriestraße 20, 57250 Netphen, Germany
+49 271 708-1643 (Tel.)
E-Mail:
carsten.d...@external.t-systems.com
http://www.t-systems.com,
http://www.telesec.de
> All,
>
> As you know, I am summarizing responses to the recent CA Communication
> here:
>
https://wiki.mozilla.org/CA:Communications#January_2013_Responses
> Here are the trends that I am seeing.
>
>
> Action #1: Mozilla Policy Update Readiness
>
> In regards to the changes to version 2.1 of Mozilla's CA Certificate
> policy, most CAs stated that they were already in compliance with the
> changes, or would be able to comply with the new requirements
> according to the time frames listed on the wiki page
> (
https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Up
> dated_Policy_Version_2.1).
>
> Most of the CAs that answered with "C" (need more time) stated that
> they need more time to comply with the Baseline Requirements. They
> were OK with the time frames allowed for transitioning their
> intermediate certificates.
>
> There are a couple CAs whose included root certs only have the email
> trust bit enabled, and those root certs sign end-entity certs
> directly, as required by legacy software. These CAs have requested a
> long-term exception to Mozilla's new policy requiring intermediate
> issuing certificates.
> I added a bullet point to the wiki page to address this.
>
https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Upd
> ated_Policy_Version_2.1
> "Item #6, fourth bullet: "maintain a certificate hierarchy such that
> the included certificate does not directly issue end-entity
> certificates to customers (e.g., the included certificate signs
> intermediate issuing certificates);"
> - As of February 15, 2014 there shall be no more end-entity
> certificates being issued to customers that are directly signed by a
> trust anchor that is included in NSS.
> - Exceptions may be granted for root certificates that only have the
> email (S/MIME) trust bit enabled, and do not have the websites
> (SSL/TLS) or code signing trust bits enabled."
>
>
>
> Action #2: Baseline Requirements Readiness
>
> The BRs that CAs most commonly stated that they need more time to
> comply with are:
> - BR 9.2.1, "Subject Alternative Name Extension"
> - BR 9.6, "Certificate Serial Number"
> - BR 13.2.2, "Repository" (OCSP)
> - Appendix B, "Certificate Extensions (Normative)"
> - Appendix C, "User Agent Verification (Normative)"
>
> For in-premise operations, most CAs stated that they expect to comply
> with the BRs by June 2013.
>
> Several CAs stated that they need more time to help their subordinate
> CAs comply with the BRs.
>
> I am considering adding a sub-bullet to the wiki page to take these
> requests into account. See the third sub-bullet (proposed) below...
>
https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Upd
> ated_Policy_Version_2.1
> "Item #13: "CA operations and issuance of certificates to be used for
> SSL-enabled servers must also conform to version 1.1 of the CA/Browser
> Forum Baseline Requirements for the Issuance and Management of
> Publicly-Trusted Certificates."
> - As of February 2013, SSL certificate issuance must also be audited
> according to the Baseline Requirements. (see details above)
> - All other dates are as specified by the CA/Browser Forum.
> - The first BR audit for each CA and subCA may include a list of BRs
> that the CA (or subCA) is not yet in compliance with. The second BR
> audit (the following year) is expected to confirm that the issues that
> were listed in the previous BR audit have been resolved."
>
>
> Action #3: Scan Cert DB
>
> Many CAs are still working on this action item. The most common issues
> are 1024-bit certs and certs being issued with sequential serial
> numbers and insufficient entropy.
>
>
> Action #4: Deprecate issuance of SSL certificates containing a
> Reserved IP Address or Internal Server Name.
>
> For CAs who issue this type of cert, many said that they will stop
> issuance earlier than is required in BR 9.2.1, but several said that
> they will use the dates listed in BR 9.2.1.
>
>
> Kathleen