Confirmed users
377
edits
CA/Root Store Policy Archive: Difference between revisions
Jump to navigation
Jump to search
Added section for MRSP v.2.8
m (Updated links from CA: to CA/) |
(Added section for MRSP v.2.8) |
||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
==2.8== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.8/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): April 26, 2022 | |||
* Publication date (www.mozilla.org): April 29, 2022 | |||
* Effective (compliance) date: June 1, 2022, except: | |||
** July 1, 2022: CAs SHALL NOT sign SHA-1 hashes over end entity certificates with an EKU extension containing the id-kp-emailProtection key purpose. | |||
** July 1, 2022: Name-constrained CA certificates that are technically capable of issuing working server or email certificates that were exempt from disclosure in previous versions of this policy MUST be disclosed in the CCADB. | |||
** October 1, 2022: CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs. | |||
** October 1, 2022: CAs MUST be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist, and MUST provide CRL and OCSP services and responses in accordance with the policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist. | |||
** October 1, 2022: New Section 6.1.1 - When an end entity TLS certificate (i.e. a certificate capable of being used for TLS-enabled servers) is revoked for one of the specified reasons below, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. | |||
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs. | |||
* [https://github.com/mozilla/pkipolicy/pull/245/files List of changes and diff] | |||
==2.7.1== | ==2.7.1== | ||