Reflections on 2025 and Areas of Focus for 2026

96 views
Skip to first unread message

Ben Wilson

unread,
Dec 12, 2025, 4:48:53 PM (7 days ago) Dec 12
to dev-secur...@mozilla.org

Greetings,

As we get to the end of 2025, it’s time to reflect on the past year and to think about the challenges and conversations we’ll have in 2026. Community input has shaped virtually every meaningful improvement for Mozilla and the Web PKI, and I expect that to continue. I want to share some observations and thoughts in areas where I expect our collective attention may be needed, so we can continue to make good progress. 

Earlier in the year, we published Mozilla Root Store Policy v. 3.0, which introduced clearer expectations for Mass Revocation Planning and several other improvements that we’ll continue refining as we see how they work in practice. We also hosted our first roundtable discussion, which uncovered a number of shared challenges—CPS clarity, incident reporting expectations, revocation handling, and automation. It also produced several action items for us to work on. Some are underway; others still need attention, including updates to the Forbidden and Problematic Practices and Recommended Practices wiki pages.

We also made some progress on incident reporting. During the roundtable discussions, CAs expressed uncertainty about how to respond to different types of questions and comments coming from different perspectives—probing, rhetorical, clarifying, anonymous, etc. Another related topic that came up during the roundtable was when should a Bugzilla discussion be moved to m.d.s.p. or the CCADB Public list. Several people suggested documenting best practices for these discussions and offering clearer criteria. All of us would benefit from clearer guidance, and this is an area we plan to address in 2026 with input from this community.

In addition, we updated several CA wiki pages (see https://wiki.mozilla.org/CA), including Lessons Learned, the CA Inclusion Process, and the Value Statement, and we continued to improve our documentation and transparency practices throughout the year. We can continue this momentum next year with community participation–suggestions, examples, and improved wording.

The next year will present significant challenges. Several CAs will need to transition to newer root hierarchies, and those operating dual-purpose roots will begin the move toward dedicated, single-purpose hierarchies. These transitions inevitably raise operational questions, and I expect that we’ll need continued discussion about timelines, expectations, and edge cases.

CAs will also be submitting audit reports that include tested mass-revocation procedures. This is still an area where we are learning, so I’m especially interested in community feedback about what’s working, what isn't, and what gaps remain.

We'll also see ongoing changes driven by updates to the Baseline Requirements. Here are just a few:

  • Multi-Perspective Issuance Corroboration (MPIC) expanding to 5 remote perspectives by December 2026, with regional diversity requirements;

  • DNSSEC required for domain validation and CAA checking;

  • Certificate validity and domain and IP validation reuse reduced to 200 days;

  • Documentation reuse limited to 398 days; and

  • Short-lived certificates reduced to 7 days.

These changes will require thoughtful implementation, and moving into 2026, we’ll rely on continued collaboration and good communication to ensure that the new requirements are clearly understood, well-supported, and consistently met. 

We should also expect continued discussion around the designated use of revocation reason codes in section 4.9.1.1 of the TLS BRs. Mozilla is interested in improving the clarity and utility of revocation reasons, particularly for scenarios where browser behavior may depend on more accurate and detailed explanations. This is another area where feedback will be essential.

On the root inclusion side, we will continue refining the CA inclusion process, reviewing CPSes and Value Statements, and working with applicants and existing CAs to ensure transparency and completeness. And we will keep encouraging the adoption of ACME, ARI, and similar automation technologies, which reduce the tension around certificate replacement and revocation.

Improving the reliability and resilience of the Web PKI is an important goal for 2026. This theme will be reflected in efforts to:

  • improve transparency and communication around incidents,

  • increase automation and agility,

  • coordinate root and hierarchy replacements,

  • strengthen revocation processes, and

  • ensure that root inclusion and management remain clear and predictable.

Finally, I want to thank everyone who contributed this year—whether here, through incident discussions on Bugzilla, during policy reviews, CCADB updates, or participation during roundtable discussions. This community has always been central to how Mozilla approaches PKI stewardship, and I appreciate the time and expertise you bring to these conversations.

I look forward to working with all of you in 2026 and to our continued discussions.

Best wishes,

Ben


Reply all
Reply to author
Forward
0 new messages