Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

MRSP 3.0: Published

452 views
Skip to first unread message

Ben Wilson

unread,
Feb 24, 2025, 6:18:50 PMFeb 24
to dev-secur...@mozilla.org
Greetings all,
The final version of MRSP v.3.0 is now published with an effective date of March 15, 2025. Please review and let me know if you spot any issues.
Thanks,
Ben

Fumiaki ONO

unread,
Mar 31, 2025, 1:35:50 PMMar 31
to dev-secur...@mozilla.org, Ben Wilson
Hello Ben-san,

We have a question about MRSP Section 7.5.3.
How should we submit the transition plan?
If there are any specifications for the format or where to send it, we would appreciate it if you could let us know.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

> 7.5.3 Transition Plan for Existing Roots
> Root CA certificates included in Mozilla's Root Store as of January 1, 2025, that have both the websites and the email trust bits enabled MAY remain trusted after April 15, 2026, if the CA operator has submitted a transition plan by April 15, 2026, to migrate to dedicated hierarchies by December 31, 2028.

Best regards,

ONO Fumiaki / 大野 文彰
SECOM Trust Systems Co., Ltd.

2025年2月25日火曜日 8:18:50 UTC+9 Ben Wilson:

Ben Wilson

unread,
Mar 31, 2025, 5:12:32 PMMar 31
to Fumiaki ONO, dev-secur...@mozilla.org
Dear Ono-san,

Thank you for your questions regarding how to submit a dual-root transition plan required by MRSP Section 7.5.3.  I am still finalizing the process for how transition plans should be submitted, and I will post such guidance on the Mozilla CA wiki. However, at this time, the preferred method will be to post the transition plan in a "CA Certificate Root Program" bug (e.g., titled “Remove Email Trust Bit from CA XYZ”, or similar). Filing a certificate change bug in the CA Certificate Root Program component of Bugzilla will itself initiate the change request and get the process started. See https://wiki.mozilla.org/CA/Certificate_Change_Process.  Alternatively, the plan could be filed in the CA Documents component in Bugzilla. Either of these approaches ensures transparency and allows the community to be aware of the CA operator’s progress and intentions. Or, the less-preferred method would be, if a CA operator strongly believes that the transition plan contains sensitive or proprietary information, to submit the plan on or before April 15, 2026, by email to certif...@mozilla.org. If that approach is taken, a redacted or other transition plan would still need to be uploaded to Bugzilla after the April 15, 2026, date.

As for the format and content, we do not currently require a rigid template (I've pasted something below as guidance, if helpful). However, the plan must clearly address how the CA operator will meet Mozilla’s requirement to migrate away from dual-use roots by December 31, 2028. This means the plan must include either removal of the websites or email trust bit or the root itself from our certdata.txt file. Please note that all transition plans should focus only on Mozilla’s requirements, not those of other root programs, and you do not need to include unnecessary implementation detail—just ensure that your plan is clear, reasonable, and demonstrates how the root CA will be migrated away from dual-use by the December 31, 2028, deadline.

We’ll continue to monitor the types of plans received and may provide additional guidance later if necessary.

Thanks,

Ben


Root Transition Plan Template

CA Operator Name:
[Insert name of the CA operator]

Root CA Certificate:
[Insert full subject DN and SHA256 hash of the affected root certificate]

Summary Description of the Plan:
Please describe, in one or two paragraphs, how your organization plans to transition away from using this root certificate as a dual-use root. Indicate which of the following actions will be taken:

_____ Request to remove the email trust bit

_____ Request to remove the websites trust bit

_____ Request to remove the root

_____ Other (Explain)

Transition Timeline:
Please provide relevant dates and milestones. Example entries might include:

  • Date to submit change request: [MM/DD/YYYY]

  • Last issuance of conflicting certificates: [MM/DD/YYYY]

  • Expiration date of last affected certificate: [MM/DD/YYYY]

  • Planned date of removal: [MM/DD/YYYY]

  • Estimated date for inclusion of new single-purpose root(s) (if applicable): [MM/DD/YYYY]

Additional Notes (Optional):
Use this space to provide any other relevant information to support your plan or clarify timelines.



大野 文彰

unread,
Apr 1, 2025, 5:55:11 AMApr 1
to Ben Wilson, dev-secur...@mozilla.org

Hello Ben-san,

 

Thank you for your quick and courteous reply.

We will prepare a report on how to post the transition plan in a "CA Certificate Root Program" bug (e.g., titled “Remove Email Trust Bit from CA XYZ”, or similar) in Bugzilla.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems Co., Ltd.

 

Reply all
Reply to author
Forward
0 new messages