MRSP 2.9: Issue#232: Root CA Lifecycles

[Ben Wilson]

All,

We previously announced this change in policy over a year ago, and will be finalizing it in Version 2.9 of the Mozilla Root Store Policy (MRSP).  

Please review this addition, and let us know if you have any final comments. 

----- Begin MRSP Revision -----

7.4 Root CA Lifecycles

For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. The CA key material generation date SHALL be determined by reference to the auditor-witnessed key generation ceremony report. If the CA operator cannot provide the key generation ceremony report for a root CA certificate created before July 1, 2012, then Mozilla will use the “Valid From” date in the root CA certificate to establish the key material generation date. For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the schedule located at https://wiki.mozilla.org/CA/Root_CA_Lifecycles, which is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make this schedule obsolete.

CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the distrust date of the CA certificate they wish to replace.

----- End MRSP Revision -----

Thanks,

Ben

[Rob Stradling]

> CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the distrust date of the CA certificate they wish to replace.

Hi Ben.  I would interpret that sentence to mean that if a CA operator misses the "at least 2 years" deadline then they are forever forbidden from submitting a next generation root certificate for inclusion in Mozilla's root store.  Is that the intent?

I think CAs should certainly be encouraged to submit next gen roots in a timely fashion, and I think Mozilla shouldn't feel obliged to grant extensions on to-be-replaced root removals in order to support CAs that fail to do this "at least 2 years" in advance.  However, I think "forever forbidden" is unnecessarily harsh!

So I suggest changing "MUST" to "SHOULD".

---

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> on behalf of Ben Wilson <bwi...@mozilla.com>
Sent: 26 July 2023 16:42
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: MRSP 2.9: Issue#232: Root CA Lifecycles

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabwQ0tiADoo-YNvCSuu3dAxTJOjSKnUbWb6NQasoejQKg%40mail.gmail.com.

[Ben Wilson]

Thanks, Rob.  I'll change it to a strong SHOULD.

Ben