The CA Communication has been sent.
===
Dear Certification Authority,
This note requests a set of immediate actions on your behalf, as a
participant in the Mozilla root program.
Please reply by March 2, 2012, to confirm completion of the following
actions or state when these actions will be completed.
1) Subordinate CAs chaining to CAs in Mozilla’s root program cannot be
used for MITM or “traffic management” of domain names or IPs that the
certificate holder does not legitimately own or control, regardless of
whether it is in a closed and controlled environment or not. Please
review all of the subordinate CAs that chain up to your root
certificates in NSS to make sure that they cannot be used in this way.
Any existing subordinate CAs that can be used for that purpose must be
revoked and any corresponding HSMs destroyed as soon as possible, but no
later than April 27, 2012. For each subordinate CA that is revoked, send me:
a) The certificate that signed the subCA. If it is a root certificate in
NSS, then the root certificate's subject and SHA1 fingerprint.
b) The Serial Number of the revoked certificate.
c) The CRL that contains the serial number of the revoked certificate.
As a CA in Mozilla’s root program you are ultimately responsible for
certificates issued by you and any intermediate CAs that chain up to
your roots. After April 27, 2012, if it is found that a subordinate CA
is being used for MITM, we will take action to mitigate, including and
up to removing the corresponding root certificate. Based on Mozilla’s
assessment, we may also remove any of your other root certificates, and
root certificates from other organizations that cross-sign your
certificates.
I am planning to publish a compiled list of CA responses to all of the
action items in this communication. Therefore, I recommend responding to
action item #1 with one of the following choices:
a) Does not apply, because we do not issue subCA certificates to third
parties.
b) SubCAs are technically and/or contractually restricted to only issue
certificates to domains that they legitimately own or control, and they
are specifically not allowed to use their subordinate certificates for
the purpose of MITM.
c) We are reviewing all of our subCAs and will take the necessary action
by <date>.
d) We have revoked such subCA certificates, and here is the requested
information.
2) If you issue subordinate CAs to third parties or your CP/CPS permits
you to do so in the future, please add a statement to your CP/CPS
committing that you will not issue a subordinate certificate that can be
used for MITM or “traffic management” of domain names or IPs that the
certificate holder does not legitimately own or control. Send me the URL
to the updated document(s) and the impacted sections or page numbers.
3) Please scan all of your EV SSL certificates and revoke any that do
not meet the EV requirements. This includes, but is not limited to
maximum validity period of the certificate, subject naming, minimum key
sizes, required extensions, and maximum expiration time of OCSP responses.
4) Certificates chaining to root certificates in Mozilla’s root program
should not have MD5 algorithms or RSA keys shorter than 1024 bits long.
Please scan the certificates chaining to your root certificates in NSS,
and revoke any certificates that contain small key sizes or MD5 algorithms.
5) The CA/Browser Forum has released the "Baseline Requirements for the
Issuance and Management of Publicly Trusted Certificates,” which is
available here:
http://www.cabforum.org/. Discussions are in progress in
the mozilla.dev.security.policy forum to update Mozilla’s CA Certificate
Policy to add a requirement that CAs also meet these baseline
requirements for issuance of SSL/TLS certificates. Please contribute to
the discussions in the mozilla.dev.security.policy forum, and update
your operations and documentation as needed to meet the baseline
requirements by the effective date of July 1, 2012.
The currently proposed updates to Mozilla’s CA Certificate Policy are here:
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress
Participation in Mozilla's root program is at our sole discretion, and
we will take whatever steps are necessary to keep our users safe.
Nevertheless, we believe that the best approach to safeguard that
security is to work with CAs as partners, to foster open and frank
communication, and to be diligent in looking for ways to improve. Thank
you for your cooperation in this pursuit.
Regards,
Kathleen Wilson
Module Owner of Mozilla's CA Certificates Module
===