Confirmed users
377
edits
CA/Root CA Lifecycles: Difference between revisions
Jump to navigation
Jump to search
m
Minor edits
m (Removed "draft") |
m (Minor edits) |
||
| Line 1: | Line 1: | ||
Version 2.9 of Mozilla's Root Store Policy, section 7.4 (Root CA Lifecycles) states: | |||
* For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. | * For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. | ||
* For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. | * For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. | ||
| Line 45: | Line 45: | ||
==== Old Roots CAs and Hierarchies do not meet Current Requirements ==== | ==== Old Roots CAs and Hierarchies do not meet Current Requirements ==== | ||
Mozilla's Root Store Policy and the CA/Browser Forum Baseline Requirements (CABF BRs) are constantly evolving in order to improve security on the web. As new requirements are introduced, existing CA hierarchies are grandfathered in. Over time these CA hierarchies need to be replaced so that they become fully compliant with current policies. Having a policy about root CA lifecycles will ensure that CA hierarchies get updated and become fully compliant. | Mozilla's Root Store Policy and the CA/Browser Forum Baseline Requirements (CABF BRs) are constantly evolving in order to improve security on the web. As new requirements are introduced, existing CA hierarchies are grandfathered in. Over time, these CA hierarchies need to be replaced so that they become fully compliant with current policies. Having a policy about root CA lifecycles will ensure that CA hierarchies get updated and become fully compliant. | ||
<br> | <br> | ||
Examples of how requirements and practices have changed over time include, but are not limited to the following: | Examples of how requirements and practices have changed over time include, but are not limited to, the following: | ||
* Mozilla's first root store policy was published in 2004. | * Mozilla's first root store policy was published in 2004. | ||
* The CA/Browser Forum EV Guidelines were adopted in October 2006, and for root CA keys to be trusted for EV treatment in browsers they had to be created in an auditor-witnessed key generation ceremony. | * The CA/Browser Forum EV Guidelines were adopted in October 2006, and for root CA keys to be trusted for EV treatment in browsers they had to be created in an auditor-witnessed key generation ceremony. | ||