DRAFT Communication to CAs

19 views
Skip to first unread message

Kathleen Wilson

unread,
Apr 12, 2011, 3:07:53 PM4/12/11
to mozilla-dev-s...@lists.mozilla.org
All,

I would appreciate feedback on the following draft of a communication to
be emailed to CAs with roots in NSS.

--
Title: Mozilla Communication: Policy Discussions are in Progress that
may Impact Your CA

Dear Certification Authority,

On behalf of Mozilla, I am contacting you in regards to three important
items that we would like to bring to your attention.

1) The CA/Browser Forum has published a final draft of the document
"Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates." This document is now under review in the
mozilla.dev.security.policy forum. For more information, see
http://cabforum.org/.

It is Mozilla’s intent to add a requirement to the Mozilla CA
Certificate Policy
(http://www.mozilla.org/projects/security/certs/policy/) that CAs
include the CA/Browser Forum Baseline Requirements in their policies,
practices, and audits. Therefore, we urge you to review the draft of the
Baseline Requirements, assessing the impact to your CA policies and
practices, and participate in the current discussions about these
requirements. The discussion is limited to 45 days from April 11.

2) Mozilla has begun discussions about the Phase 2 items to be
considered for updating the Mozilla CA Certificate Policy,
https://wiki.mozilla.org/CA:CertPolicyUpdates#Second_Phase. The current
discussions are focused on RAs and Subordinate CAs. We recommend that
you monitor and contribute to these discussions so that you are aware of
how the potential changes to the Mozilla CA Certificate Policy may
impact you.

3) As per previous communications, we will implement a code change to
stop accepting MD5 as a hash algorithm for intermediate and end-entity
certs. After June 30, 2011, software published by Mozilla will return an
error when a certificate with an MD5-based signature is used. Mozilla
will take this action earlier and at its sole discretion if necessary to
keep our users safe. For more information, please see
https://wiki.mozilla.org/CA:MD5and1024.

We look forward to your continued involvement and contributions to
improving Mozilla’s CA Certificate Policy and practices.

Regards,
Kathleen Wilson
Module Owner of Mozilla's CA Certificates Module
--

Ian G

unread,
Apr 12, 2011, 9:03:07 PM4/12/11
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
On 13/04/11 5:07 AM, Kathleen Wilson wrote:
> All,
>
> I would appreciate feedback on the following draft of a communication to
> be emailed to CAs with roots in NSS.
>
> --
> Title: Mozilla Communication: Policy Discussions are in Progress that
> may Impact Your CA
>
> Dear Certification Authority,
>
> On behalf of Mozilla, I am contacting you in regards to three important
> items that we would like to bring to your attention.
>
> 1) The CA/Browser Forum has published a final draft of the document
> "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted Certificates." This document is now under review in the
> mozilla.dev.security.policy forum. For more information, see
> http://cabforum.org/.
>
> It is Mozilla’s intent to add a requirement to the Mozilla CA
> Certificate Policy
> (http://www.mozilla.org/projects/security/certs/policy/) that CAs
> include the CA/Browser Forum Baseline Requirements in their policies,
> practices, and audits. Therefore, we urge you to review the draft of the
> Baseline Requirements, assessing the impact to your CA policies and
> practices, and participate in the current discussions about these
> requirements. The discussion is limited to 45 days from April 11.


I'm sorry, I must have missed something. When was this discussed? When
was this aired in this forum?

Was there consensus on a private, confidentially negotiated document
being thrust on all CAs around the world by Mozilla?

On behalf of CABForum? What is the effect on Mozilla's policy? Do we
even need the policy any more?

What is ETSI's view on this? Has every CA in the list been polled on
this? Is there an implication that all CAs must join CABForum?


> 2) Mozilla has begun discussions about the Phase 2 items to be
> considered for updating the Mozilla CA Certificate Policy,
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Second_Phase. The current
> discussions are focused on RAs and Subordinate CAs. We recommend that
> you monitor and contribute to these discussions so that you are aware of
> how the potential changes to the Mozilla CA Certificate Policy may
> impact you.

OK, this one I've seen.

> 3) As per previous communications, we will implement a code change to
> stop accepting MD5 as a hash algorithm for intermediate and end-entity
> certs. After June 30, 2011, software published by Mozilla will return an
> error when a certificate with an MD5-based signature is used. Mozilla
> will take this action earlier and at its sole discretion if necessary to
> keep our users safe. For more information, please see
> https://wiki.mozilla.org/CA:MD5and1024.


OK, that one can be broadcast many times :)

A wider observation. In the past, this forum was for volunteers
preparing policies, and reviewing CAs to go into the list. Once.

In that past, it was not necessary for a CA to be represented.

However, we may be moving to a more engaged posture. Are we considering
mandating that CAs be aware and signed up for this list? So as to catch
developments as they happen?

Or are we still relying on an occasional mail-out from Kathleen?

iang

Gervase Markham

unread,
Apr 13, 2011, 6:59:43 AM4/13/11
to Ian G, Kathleen Wilson
On 13/04/11 02:03, Ian G wrote:
>> It is Mozilla’s intent to add a requirement to the Mozilla CA
>> Certificate Policy
>> (http://www.mozilla.org/projects/security/certs/policy/) that CAs
>> include the CA/Browser Forum Baseline Requirements in their policies,
>> practices, and audits. Therefore, we urge you to review the draft of the
>> Baseline Requirements, assessing the impact to your CA policies and
>> practices, and participate in the current discussions about these
>> requirements. The discussion is limited to 45 days from April 11.
>
> I'm sorry, I must have missed something. When was this discussed? When
> was this aired in this forum?

Are there things in the Baseline Requirements that you think Mozilla
should not be requiring of CAs?

> Was there consensus on a private, confidentially negotiated document
> being thrust on all CAs around the world by Mozilla?

Mozilla has pushed for, and succeeded in making it a less private, less
confidentially negotiated document than the last one (the EV
guidelines). We have just begun a public discussion period and I have
every reason to believe and trust that the CABForum members are engaged
in it in good faith. Do you have evidence to the contrary?

> On behalf of CABForum? What is the effect on Mozilla's policy? Do we
> even need the policy any more?

The CABForum document includes a large number of things that Mozilla's
policy has specified; therefore if it were to be included as a
requirement, the DRY principle suggests that we would remove them from
our policy, making it shorter and easier to understand.

> What is ETSI's view on this? Has every CA in the list been polled on
> this? Is there an implication that all CAs must join CABForum?

I don't know what ETSI's view is. All CAs are invited to join the
discussion; I don't think that adding a set of requirements in the form
of a CABForum document is qualitatively different from adding them
unilaterally. There is no implication that all CAs _must_ join CABForum
- CABForum documents have no legal validity unless browsers decide to
enforce them.

> A wider observation. In the past, this forum was for volunteers
> preparing policies, and reviewing CAs to go into the list. Once.
>
> In that past, it was not necessary for a CA to be represented.
>
> However, we may be moving to a more engaged posture. Are we considering
> mandating that CAs be aware and signed up for this list? So as to catch
> developments as they happen?

The only way we could mandate this would be through root inclusion
requirements (or threatening to pull roots!). As membership of this
forum does not materially affect the security of a CA's operation, I
don't think we can mandate it.

Wise != Compulsory.

Gerv

Eddy Nigg

unread,
Apr 13, 2011, 8:03:18 AM4/13/11
to mozilla-dev-s...@lists.mozilla.org
On 04/13/2011 01:59 PM, From Gervase Markham:

>> What is ETSI's view on this? Has every CA in the list been polled on
>> this? Is there an implication that all CAs must join CABForum?
>
> I don't know what ETSI's view is.

As a by-note, we neither don't know what the view of WebTrust is. As
such, auditors are only relevant after CAs have incorporated compliance
to the basic guideline requirements into their policies. The CAs might
do so, due to software vendor requirements in first place. And auditors
may confirm compliance.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Kathleen Wilson

unread,
Apr 13, 2011, 2:58:07 PM4/13/11
to mozilla-dev-s...@lists.mozilla.org


Of course there will be discussion before anything gets added to the
Mozilla CA Certificate Policy. We're not to that point yet in regards to
the CAB Forum Baseline Requirements.

The CAB Forum has only recently published the Baseline Requirements
document, though it has been previously mentioned in m.d.s.policy.
During the discussion of version 2.0 of the Mozilla CA Certificate
policy the CAB Forum baseline requirements were made available upon request.
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/39ddd881958e7f28#

We have a limited amount of time to review and comment on the CAB
Forum's Baseline Requirements document, so my goal is to impress the
importance of this upon all CAs with roots in NSS. Please let me know if
you have a suggestion about how to better phrase my email to quickly get
their attention and motivate them to review the baseline requirements
and participate in the discussion.

Kathleen

Kyle Hamilton

unread,
Apr 13, 2011, 4:25:04 PM4/13/11
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org

On Wed, Apr 13, 2011 at 11:58 AM, Kathleen Wilson <kathle...@yahoo.com> wrote:
> Of course there will be discussion before anything gets added to the Mozilla
> CA Certificate Policy. We're not to that point yet in regards to the CAB
> Forum Baseline Requirements.

Your proposed letter says "45 days from April 11". I don't recall any particular request for discussion for this.

> The CAB Forum has only recently published the Baseline Requirements
> document, though it has been previously mentioned in m.d.s.policy. During
> the discussion of version 2.0 of the Mozilla CA Certificate policy the CAB
> Forum baseline requirements were made available upon request.
> http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/39ddd881958e7f28#

No, Draft 19 of them was made available on request. What's the current revision number of the proposed final draft?

Also, where's your usual announcement of the discussion period, separate and distinct from this proposed communication? I can't seem to find it.

-Kyle H

Kathleen Wilson

unread,
Apr 13, 2011, 7:29:52 PM4/13/11
to mozilla-dev-s...@lists.mozilla.org
On 4/13/11 1:25 PM, Kyle Hamilton wrote:
>
>
> On Wed, Apr 13, 2011 at 11:58 AM, Kathleen Wilson
> <kathle...@yahoo.com> wrote:
>> Of course there will be discussion before anything gets added to the
>> Mozilla
>> CA Certificate Policy. We're not to that point yet in regards to the CAB
>> Forum Baseline Requirements.
>
> Your proposed letter says "45 days from April 11". I don't recall any
> particular request for discussion for this.
>

We are using m.d.s.policy as a means to have discussion about the
CA/Browser Forum's document before they publish it as version 1.0.

The 45 days is per the CA/Browser Forum's announcement: http://cabforum.org/

I do not plan on hosting a discussion about how to update the Mozilla CA
Certificate Policy in this regard until after the CA/Browser Forum has
published version 1.0 (e.g. an official version) of the Baseline
Requirements.

However, I want to make sure that all of the CAs with roots in NSS
review and have the opportunity to comment on the CA/Browser Forum's
document during this time frame.


>> The CAB Forum has only recently published the Baseline Requirements
>> document, though it has been previously mentioned in m.d.s.policy. During
>> the discussion of version 2.0 of the Mozilla CA Certificate policy the
>> CAB
>> Forum baseline requirements were made available upon request.
>> http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/39ddd881958e7f28#
>>
>
> No, Draft 19 of them was made available on request. What's the current
> revision number of the proposed final draft?
>
> Also, where's your usual announcement of the discussion period, separate
> and distinct from this proposed communication? I can't seem to find it.

This is a discussion about a CA/Browser Forum document, not a Mozilla
document.

Their announcement for it is here: http://cabforum.org/

Gerv posted about it here:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/a1150be280f1d08e#


Kathleen


Gervase Markham

unread,
Apr 14, 2011, 9:48:43 AM4/14/11
to mozilla-dev-s...@lists.mozilla.org
On 13/04/11 21:25, Kyle Hamilton wrote:
> Your proposed letter says "45 days from April 11". I don't recall any
> particular request for discussion for this.

You mean a request for discussion of how long the discussion is? No,
there wasn't one - the time limit was set by the CAB Forum. That's the
way it is.

> No, Draft 19 of them was made available on request. What's the current
> revision number of the proposed final draft?

30b.

> Also, where's your usual announcement of the discussion period, separate
> and distinct from this proposed communication? I can't seem to find it.

You mean for the CAB Forum Baseline Requirements? Here:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/a1150be280f1d08e#

Gerv

Kathleen Wilson

unread,
Apr 14, 2011, 3:56:21 PM4/14/11
to mozilla-dev-s...@lists.mozilla.org
On 4/12/11 6:03 PM, Ian G wrote:
> On 13/04/11 5:07 AM, Kathleen Wilson wrote:
>> All,
>>
>> I would appreciate feedback on the following draft of a communication to
>> be emailed to CAs with roots in NSS.
>>
>> --
>> Title: Mozilla Communication: Policy Discussions are in Progress that
>> may Impact Your CA
>>
>> Dear Certification Authority,
>>
>> On behalf of Mozilla, I am contacting you in regards to three important
>> items that we would like to bring to your attention.
>>
>> 1) The CA/Browser Forum has published a final draft of the document
>> "Baseline Requirements for the Issuance and Management of
>> Publicly-Trusted Certificates." This document is now under review in the
>> mozilla.dev.security.policy forum. For more information, see
>> http://cabforum.org/.
>>
>> It is Mozilla’s intent to add a requirement to the Mozilla CA
>> Certificate Policy
>> (http://www.mozilla.org/projects/security/certs/policy/) that CAs
>> include the CA/Browser Forum Baseline Requirements in their policies,
>> practices, and audits. Therefore, we urge you to review the draft of the
>> Baseline Requirements, assessing the impact to your CA policies and
>> practices, and participate in the current discussions about these
>> requirements. The discussion is limited to 45 days from April 11.
>


Here’s alternative text to address the concerns raised about point #1…

--


1) The CA/Browser Forum has published a final draft of the document
"Baseline Requirements for the Issuance and Management of

Publicly-Trusted Certificates." We are now hosting a discussion about
this document in the mozilla.dev.security.policy forum. For more
information, see http://cabforum.org/. The document is here:
http://cabforum.org/Baseline_Requirements_Draft_30b.pdf

Mozilla supports the CA/Browser Forum’s efforts in this area. After
version 1.0 of the CA/Browser Forum’s Baseline Requirements document is
published, we will have a discussion to add a requirement to the Mozilla

CA Certificate Policy
(http://www.mozilla.org/projects/security/certs/policy/) that CAs
include the CA/Browser Forum Baseline Requirements in their policies,
practices, and audits. Therefore, we urge you to review the draft of the
Baseline Requirements, assessing the impact to your CA policies and
practices, and participate in the current discussions about these

requirements. The CA/Browser Forum has set the duration of this
discussion to 45 days from April 11.
--


If this is OK, I'll go ahead make this change and send the communication.

Thanks,
Kathleen

Ian G

unread,
Apr 14, 2011, 8:53:24 PM4/14/11
to mozilla-dev-s...@lists.mozilla.org
On 15/04/11 5:56 AM, Kathleen Wilson wrote:

> Here’s alternative text to address the concerns raised about point #1…
>
> --

> 1) The CA/Browser Forum has published a final draft of the document
> "Baseline Requirements for the Issuance and Management of

> Publicly-Trusted Certificates." We are now hosting a discussion about

> this document in the mozilla.dev.security.policy forum. For more


> information, see http://cabforum.org/. The document is here:
> http://cabforum.org/Baseline_Requirements_Draft_30b.pdf
>
> Mozilla supports the CA/Browser Forum’s efforts in this area. After
> version 1.0 of the CA/Browser Forum’s Baseline Requirements document is

> published, we will have a discussion to add a requirement to the Mozilla


> CA Certificate Policy
> (http://www.mozilla.org/projects/security/certs/policy/) that CAs
> include the CA/Browser Forum Baseline Requirements in their policies,
> practices, and audits.

That is better.

Where I am still concerned is with the Mozilla intention. You've
obviously thought about this for 2 years. Some of us haven't. A
problem with closed groups is that those who are in them are comfortable
with the way the direction is going, those who are out are not.

It is not clear to me whether Mozilla intends to replace section 9 of
the policy with this document, or add it as a possible alternative to
the several ones already there. Certainly the latter would be welcome,
especially to the predominantly North American / Anglo tradition of SSL
that CABForum works to, and who are already on board with the project.

E.g., the clause says "We reserve the right to *accept* other criteria
in the future." My emphasis.

Obviously, complete replacement means changing over the entire audit and
governance operations of a CA from one set of processes and disclosures
to another.


iang

Eddy Nigg

unread,
Apr 14, 2011, 9:07:25 PM4/14/11
to mozilla-dev-s...@lists.mozilla.org
On 04/15/2011 03:53 AM, From Ian G:

> It is not clear to me whether Mozilla intends to replace section 9 of
> the policy with this document, or add it as a possible alternative to
> the several ones already there.

The Basic requirements is not an audit criteria. It's up to the
auditor(s) to confirm compliance to this document. Similar to the EV
guidelines.

> Obviously, complete replacement means changing over the entire audit
> and governance operations of a CA from one set of processes and
> disclosures to another.

I don't think a lot changes in this respect, the Basic Guidelines are
very similar to what Mozilla requires already today with Policy 2.0,
some of it was deliberately adjusted to match the Basic Requirements and
the other way around (it was a two way street, some requirements were
adjusted to what Mozilla requires today).

Kathleen Wilson

unread,
Apr 15, 2011, 12:55:38 PM4/15/11
to mozilla-dev-s...@lists.mozilla.org
> On 13/04/11 5:07 AM, Kathleen Wilson wrote:
>> All,
>>
>> I would appreciate feedback on the following draft of a communication to
>> be emailed to CAs with roots in NSS.
>>

Thank you to those of you who provided feedback on this communication.
Here is the version that I will send today.

--

Title: Mozilla Communication: Policy Discussions are in Progress that
may Impact Your CA

Dear Certification Authority,

On behalf of Mozilla, I am contacting you in regards to three important
items that we would like to bring to your attention.

1) The CA/Browser Forum has published a final draft of the document
"Baseline Requirements for the Issuance and Management of

Publicly-Trusted Certificates." We are now hosting a discussion about

this document in the mozilla.dev.security.policy forum. For more
information, see http://cabforum.org/.

Mozilla supports the CA/Browser Forum’s efforts in this area. After
version 1.0 of the CA/Browser Forum’s Baseline Requirements document is

published, we will have a discussion to add a requirement to the Mozilla

CA Certificate Policy
(http://www.mozilla.org/projects/security/certs/policy/) that CAs
include the CA/Browser Forum Baseline Requirements in their policies,
practices, and audits. Therefore, we urge you to review the draft of the
Baseline Requirements, assessing the impact to your CA policies and
practices, and participate in the current discussions about these

requirements. The CA/Browser Forum has set the duration of this

discussion to 45 days from April 11.

2) Mozilla has begun discussions about the Phase 2 items to be
considered for updating the Mozilla CA Certificate Policy,
https://wiki.mozilla.org/CA:CertPolicyUpdates#Second_Phase. The current
discussions are focused on RAs and Subordinate CAs. We recommend that
you monitor and contribute to these discussions so that you are aware of
how the potential changes to the Mozilla CA Certificate Policy may
impact you.

3) As per previous communications, we will implement a code change to

stop accepting MD5 as a hash algorithm for intermediate and end-entity

certificates. After June 30, 2011, software published by Mozilla will

return an error when a certificate with an MD5-based signature is used.
Mozilla will take this action earlier and at its sole discretion if
necessary to keep our users safe. For more information, please see
https://wiki.mozilla.org/CA:MD5and1024.

We look forward to your continued involvement and contributions to

Reply all
Reply to author
Forward
0 new messages