MozillaWiki

CA/Root Store Policy Archive: Difference between revisions

Page Discussion

CA/Root Store Policy Archive (view source)

Revision as of 22:06, 2 June 2022

228 bytes added ,  2 June 2022
→‎2.8: Added deadline of Dec. 31 2022 for uploading of CPs/CPSes
(Clarified date for updating subscriber agreements and tools in regards to revocation reason options)
(→‎2.8: Added deadline of Dec. 31 2022 for uploading of CPs/CPSes)
Line 14: Line 14:
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options.
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options.
** December 31, 2022: CA operators will need to have uploaded all older, available versions of their CPs and CPSes if more time is needed to conform to other requirements such as the Web Content Accessibility Guidelines (WCAG).
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.


Bwilson
Confirmed users
377

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1242791"