MozillaWiki

CA/Communications: Difference between revisions

Page Discussion

CA/Communications (view source)

Revision as of 20:14, 8 September 2023

72,630 bytes added ,  8 September 2023
m
→‎August 2023 CA Communication and Survey: Added survey results page
m (→‎August 2023 CA Communication and Survey: Added survey results page)
 
(149 intermediate revisions by 5 users not shown)
Line 1: Line 1:
The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the mozilla.dev.security.policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org.
The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the Mozilla dev-security-policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org.


=== February 17, 2012 ===
== August 2023 CA Communication and Survey ==
 
Communication and Survey:
https://docs.google.com/document/d/1ieXSt3rJyOSopJnDp4wFGSugpk6pt5pJFJ55rkpb6Ks/edit?usp=sharing
 
The purpose of this communication and survey is to ensure that CA operators are aware of and prepared to comply with changes to the Mozilla Root Store Policy (MRSP), which we plan to publish soon as version 2.9 with an effective date of September 1, 2023.
 
The most significant changes to v2.9 of MRSP are:
# Retirement of Older Root CA Certificates
#* https://wiki.mozilla.org/CA/Root_CA_Lifecycles
# Compliance with the CABF’s S/MIME BRs
#* https://wiki.mozilla.org/CA/Transition_SMIME_BRs
# Security Vulnerability Reporting
#* https://wiki.mozilla.org/CA/Vulnerability_Disclosure
# Removed duplication with CCADB Policy regarding Audit Requirements
#* https://www.ccadb.org/policy
# Annual Submission of CCADB Compliance Self-Assessment
#* https://www.ccadb.org/cas/self-assessment
# Elimination of SHA-1
 
Survey Responses:
https://docs.google.com/spreadsheets/d/1xJ6VRs2R0tw3-QHoIRzIIO8MWWoqNs576KOxPKYsp3w/edit?usp=sharing
 
== February 2023 CA Communication ==
 
Dear Certification Authority,
 
Mozilla’s Root Store Policy (MRSP) was recently updated to version 2.8.1 with an effective date of February 15, 2023, https://github.com/mozilla/pkipolicy/pull/265/files. Version 2.8.1 contains several clarifications and minor changes that may affect your organization. You need to be aware of these clarifications and changes to ensure your continued compliance with the MRSP. The following are summaries only of the actual language in the MRSP, and in the event of any conflicting interpretation, the MRSP takes precedence over these summaries:
 
* You are required to follow and be aware of discussions in both the Mozilla dev-security-policy forum, https://groups.google.com/a/mozilla.org/g/dev-security-policy, and the CCADB Public List, https://groups.google.com/a/ccadb.org/g/public;
* Your CP, CPS, or combined CP/CPS MUST clearly explain your CA’s domain validation procedures and indicate which subsection of section 3.2.2.4 of the CA/Browser Forum’s Baseline Requirements you are complying with;
* Your CP, CPS, or combined CP/CPS MUST be updated at least every 365 days (more often is expected), and it must be reported in the CCADB in a “timely manner”, and failure to do either of these things will require that you file an incident report in Bugzilla;
* You MUST maintain links to all historic versions of each CP, CPS, or combined CP/CPS from the creation of included CA certificates until such certificate hierarchies are no longer trusted by the Mozilla root store, and if your CA certificate was included by Mozilla before December 31, 2022, then you still must maintain links for “reasonably available historic versions” of your CPs, CPSes, or combined CP/CPSes; and
* In the CCADB, if you elect to publish a JSON array of partial CRLs (rather than the full CRL), then the JSON Array of Partitioned CRLs must contain a critical Issuing Distribution Point extension, which shall include a URI whose value is derived from either the URI as encoded in the distributionPoint field of an issued certificate's CRL Distribution Points extension (see RFC 5280 section 5.2.5) or the URL included in the "JSON Array of Partitioned CRLs" field in the CCADB entry corresponding to the certificate for the issuing CA.
 
Finally, participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard user security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you very much for your continued cooperation in this pursuit.
 
Regards,
Ben Wilson
Mozilla CA Program Manager
 
 
 
== May 2022 CA Communication and Survey ==
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS Read-only copy of May 2022 CA Communication and Survey]
** This link is '''Read Only'''. To submit your responses, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2022 CA Communication and Survey' survey.
** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields.
 
=== May 2022 Responses ===
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00160,Q00161 Responses to Item 1] -- Compliance with MRSP v. 2.8
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00162,Q00163 Responses to Item 2] -- "Incidents" include audit findings
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00164,Q00165 Responses to Item 3] -- Auditor membership in ACAB'c and WebTrust
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00166,Q00167,Q00168 Responses to Item 4] -- Online Archival of CPs and CPSes
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00169,Q00170 Responses to Item 5] -- Full CRLs for Intermediate TLS CAs in CCADB
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00171,Q00172 Responses to Item 6.1] -- Sunsetting of SHA1 for S/MIME Certificates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00173,Q00174 Responses to Item 6.2] -- Sunsetting of SHA1 for Other Types of Signing
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176 Responses to Item 7] --  Publicly Disclose Intermediate CA Certificates capable of Issuing TLS or S/MIME
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00177,Q00178 Responses to Item 8] -- Misissuance of Certificate Transparency Precertificates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00179,Q00180,Q00181 Responses to Item 9] -- CRL Revocation Reasons for TLS Certificates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00182,Q00183 Responses to Item 10] -- Public Review of Unconstrained Externally-Operated Subordinate CAs
 
== February 2022 CA Communication ==
 
Dear Certification Authority,
 
Mozilla is engaged in policy review discussions to sunset the use of SHA1 for signing by CAs of CRLs, OCSP responses, and SMIME certificates.
See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/CnVjV-bFcyI/m/TFuWOy2BAwAJ
 
(Server certificate signing is governed by the Baseline Requirements, and effective June 1, 2022, OCSP responses related to server certificates cannot be signed with SHA1.)
 
One proposal is to remove SHA1 from the list of allowed signing algorithms altogether, but before we do this, I would like your proposed sunset dates for the different types of SHA1 signing you might currently perform--SMIME certificates, ARLs/CRLs, and OCSP responses for SMIME certificates.
 
Please participate in this important topic, which is already underway on the Mozilla dev-security-policy list. Let us know about your specific concerns and hurdles that would need to be overcome.
(Some CAs have expressed willingness to quickly convert over to SHA256, while others have expressed that it is not a simple task and will require additional development work.)
 
Thanks,
Ben Wilson (bwilson@mozilla.com)
Mozilla Root Store Program
 
== April 2021 CA Communication ==
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a054o00000EL1Fo Read-only copy of April 2021 CA Communication]
** This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2021 CA Communication' survey.
** Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a 'survey submitted' response''' -- there are required fields.
 
Dear Certification Authority,
<br>
<br>
Mozilla’s Root Store Policy was recently updated to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ version 2.7.1] with an effective date of 1 May 2021. This version contains [https://github.com/mozilla/pkipolicy/pull/223 several changes] that may affect your organization and the auditors who evaluate your PKI.  These changes require you to take action to ensure your continued compliance.
<br><br>
Please review version 2.7.1 of [https://www.mozilla.org/projects/security/certs/policy/ Mozilla’s Root Store Policy] internally, and with your auditors as well. After you and your auditors have reviewed these new requirements, complete the April 2021 survey via the Common CA Database (CCADB). This survey also contains information regarding other recent and upcoming changes that may affect your practices. Read all survey questions first before beginning to respond.
<br><br>
To respond to this survey, [https://ccadb.org/cas/ log in to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2021 CA Communication' survey. All CAs with root certificates included in Mozilla’s root store must submit their responses by 30-April-2021.
<br><br>
A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system.
<br><br>
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
<br>
<br>Regards,
<br>Ben Wilson
<br>Mozilla CA Program Manager
 
=== April 2021 Responses ===
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00129,Q00142 Responses to Item 1] -- Review Version 2.7.1 of Mozilla's Root Store Policy
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00131,Q00149,Q00143 Responses to Item 2] -- 398-day reuse period on domain/IP address validation
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00132,Q00144 Responses to Item 3] -- Clarification about EV Audit Requirements
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00133,Q00145 Responses to Item 4] -- Annual Audit Covering the CA Key Pair Lifecycle
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00136,Q00146 Responses to Item 5] -- Audit Team Qualifications
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00137,Q00147 Responses to Item 6] --  List of Incidents in Audit Reports
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00140,Q00150,Q00148 Responses to Item 7] -- Methods to Demonstrate Key Compromise
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00141,Q00157,Q00159  Responses to Item 8] --  Removal of Old Root CA Certificates (challenges and alternatives)
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00156,Q00151,Q00158 Responses to Item 8 timelines] -- Timelines and strategies to replace old, non-BR compliant CA hierarchies and root certificates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00152,Q00155,Q00153 Responses to Item 9] -- Audit Letter Validation on Intermediate Certificates
 
== May 2020 CA Communication ==
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J000042AUSv Read-only copy of May 2020 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2020 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields.
<br />
Dear Certification Authority,
<br>
<br>This survey requests your input on current policy and upcoming policy changes that affect you as a participant in Mozilla's CA Certificate Program.
<br>
<br>To respond to this survey, [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'May 2020 CA Communication' survey. All CAs with root certificates included in Mozilla’s root store must submit their responses by 31-May 2020.
<br>
<br>A compiled list of CA responses to the survey will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system.
<br>
<br>Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
<br>
<br>Regards,
<br>Kathleen Wilson
<br>Mozilla CA Program Manager
 
=== May 2020 Responses ===
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00099,Q00100 Responses to Item 1] -- Impact of COVID-19 Restrictions
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00101,Q00102, Responses to Item 2] -- Mozilla Root Store Policy version 2.7 Requirements and Deadlines
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00103,Q00104 Responses to Item 3] -- Reducing Maximum Validity Period for TLS Certificates
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00105,Q00106,Q00107 Responses to Sub Item 3.1] -- Limit TLS Certificates to 398-day validity
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00108,Q00109,Q00110 Responses to Sub Item 3.2] -- Limit re-use of domain name and IP address verification to 398 days
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00111,Q00112 Responses to Item 4] -- CA/Browser Forum Ballot for Browser Alignment
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00113,Q00114,Q00115 Responses to Sub Item 4.1] -- CA/Browser Forum defined-policy OID in Subscriber Cert certificatePolicies
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00116,Q00117,Q00118 Responses to Sub Item 4.2] -- Byte-for-byte Identical Issuer and Subject Distinguished Names
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00119,Q00120,Q00121 Responses to Sub Item 4.3] -- Text-searchable PDF Audit Statements
** [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J000042AUSv&QuestionId=Q00122,Q00123,Q00124 Responses to Sub Item 4.4] -- OCSP Requirements
 
== January 2020 CA Communication ==
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003waNOW Read-only copy of January 2020 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2020 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields.
<br />
Dear Certification Authority,
<br>
<br>Mozilla’s [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Root Store Policy] was recently [https://blog.mozilla.org/security/2019/12/11/announcing-version-2-7-of-the-mozilla-root-store-policy/ updated]. The 2.7 version went into effect on 1-January 2020. This version contains a [https://github.com/mozilla/pkipolicy/pull/199/files number of changes] that may affect your organization and will require you to take action to comply. Please review Mozilla’s updated Root Store Policy and complete the January 2020 survey via the Common CA Database (CCADB). This survey also contains information regarding other recent and upcoming changes that may affect your Certificate Authority (CA).
<br>
<br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions.
<br>
<br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the ‘January 2020 CA Communication' survey. Please enter your response by 31 January 2020.
<br>
<br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system.
<br>
<br>Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
<br>
<br>Regards,
<br>Wayne Thayer
<br>Mozilla CA Program Manager
 
=== January 2020 Responses ===
 
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00082,Q00083 Responses to Action 1] -- Review Mozilla Root Store Policy
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00084,Q00085,Q00098 Responses to Action 2] -- Update CP/CPS
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00086,Q00087,Q00097 Responses to Action 3] --  Include EKUs in All End-entity Certificates
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00088,Q00089 Responses to Action 4] -- Ensure Audit Reports are Properly Formatted
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00090,Q00096,Q00091 Responses to Action 5] -- Resolve Audit Issues with Intermediate Certificates
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00092,Q00093 Responses to Action 6] -- Incident Reporting
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00094,Q00095 Responses to Action 7] -- Compliance with BRs
 
== November 2018 CA Communication (Underscores in dNSNames) ==
On November 12, 2018, the following message was sent to all CAs in the Mozilla program, alerting them to CA/Browser Forum SC12 that established a brief sunset period for the use of underscore characters in dNSNames in publicly-trusted TLS certificates.
<br />
 
Dear Certification Authority,
 
The CA/Browser Forum recently approved [1] a clarification to the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (BRs) that may affect you. Domain names containing underscore (“_”) characters are not permitted to be encoded as dNSName types in the subjectAlternativeName (SAN) field of BR-compliant certificates. This requirement derives from section 4.2.1.6 of RFC 5280 that the BRs require CAs to comply with by reference.
 
Section 7.1.4.2.1 of the BRs will add the following language that clarifies the existing requirement and adds a short time in which CAs must discontinue the use of underscore characters in dNSNames:
-----
Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label, and;
* Such certificates MUST NOT be valid for longer than 30 days.
 
All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.
 
After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.
-----
This new language will go into effect on December 10, 2018 when the IPR review period for ballot SC12 [1] is completed. At that time, CAs must be prepared to stop issuing publicly-trusted TLS certificates containing the underscore character in any dNSName with validity periods of more than 30 days.
 
As a participant in Mozilla's CA Certificate Program, we want you to be aware of this important change, and ask that you take any necessary steps to comply. No further action related to this change is requested at this time.
 
Regards,
 
Wayne Thayer
Mozilla CA Program Manager
 
[1] https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/
 
=== November 2018 Responses ===
* No survey was included in this CA Communication
 
== September 2018 CA Communication ==
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL Read-only copy of September 2018 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'September 2018 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields.
<br />
Dear Certification Authority,
<br>
<br>Mozilla’s [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Root Store Policy] was recently [https://blog.mozilla.org/security/2018/07/02/root-store-policy-updated/ updated]. The 2.6.1 version went into effect on 1-July, 2018. This version contains a number of changes that may affect your organization and will require you to take action to comply. This survey also contains information regarding other recent and upcoming changes that may affect your Certification Authority (CA).
<br>
<br>As a participant in Mozilla's CA Certificate Program, this survey requires that you answer a set of questions.
<br>
<br>To respond to this survey, [https://ccadb.org/cas/ log in to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the ‘September 2018 CA Communication' survey. Please enter your response by 30-September 2018.
<br>
<br>A compiled list of CA responses to the survey action items will be [https://wiki.mozilla.org/CA/Communications automatically and immediately published] by the CCADB system.
<br>
<br>Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
<br>
<br>Regards,
<br>Wayne Thayer
<br>Mozilla CA Program Manager
 
=== September 2018 Responses ===
 
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00068,Q00069 Responses to Action 1] -- Review Mozilla Root Store Policy
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00070,Q00071 Responses to Action 2] -- Update CP/CPS
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00072,Q00073 Responses to Action 3] -- Transition to Separate Intermediate Certificates for SSL and S/MIME
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00074,Q00075 Responses to Action 4] -- Ensure Audit Reports comply with Mozilla’s Root Store Policy
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00076,Q00077 Responses to Action 5] -- Discontinue use of BR Validation Methods 3.2.2.4.1 and 3.2.2.4.5
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079 Responses to Action 6] --  Disclose Intermediate Certificates
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00080,Q00081 Responses to Action 7] -- Submit TLS Certificates to CT Logs for Mozilla's CRLite
 
== January 2018 CA Communication ==
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003mqMFN Read-only copy of January 2018 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2018 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields.
<br />
Dear Certification Authority,
<br /><br />
2018 has already generated some important news for Certification Authorities, and as a result we are sending this message to ensure that every CA in the Mozilla program is aware of current events and impending deadlines.
<br /><br />
This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program.
<br /><br />
To respond to this survey, login to the Common CA Database (CCADB), then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'January 2018 CA Communication' survey. Please enter your response by 9-February 2018.
<br /><br />
A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system.
<br /><br />
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
<br /><br />
Regards,<br />
Wayne Thayer<br />
Mozilla CA Program Manager<br />
 
=== January 2018 Responses ===
 
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00056,Q00057 Responses to Action 1] -- Disclose Use of Methods 3.2.2.4.9 or 3.2.2.4.10 for Domain Validation
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00058,Q00059 Responses to Action 2] -- Disclose Use of Methods 3.2.2.4.1 or 3.2.2.4.5 for Domain Validation
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00060,Q00061 Responses to Action 3] -- Disclose All Non-Technically-Constrained Subordinate CA Certificates
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00062,Q00063 Responses to Action 4] -- Complete BR Self Assessment
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00064,Q00065 Responses to Action 5] -- Update CP/CPS to Comply with version 2.5 of Mozilla Root Store Policy
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00066,Q00067 Responses to Action 6] -- Reduce SSL Certificate Validity Periods to 825 Days or Less by March 1, 2018
 
== November 2017 CA Communication ==
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7 Read-only copy of November 2017 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [http://ccadb.org/cas/ login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'November 2017 CA Communication' survey. Make sure you click on the ''''Submit'''' button at the bottom of the survey, and '''make sure you get a good 'survey submitted' response''' -- there are required fields.
 
Dear Certification Authority,
 
This survey requests a set of actions on your behalf, as a participant in [[CA|Mozilla's CA Certificate Program]].
 
To respond to this survey, login to the [http://ccadb.org/cas Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'November 2017 CA Communication' survey. Please enter your response by December 15, 2017.
 
A compiled list of CA responses to the survey action items will be [[CA/Communications|automatically and immediately published]] by the CCADB system.
 
Participation in [[CA|Mozilla's CA Certificate Program]] is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,<br />
Kathleen Wilson<br />
Mozilla CA Program Manager
 
=== November 2017 Responses ===
 
The reports in the following links are automatically generated from data in the [http://ccadb.org/ Common CA Database (CCADB)].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00035,Q00036 Responses to Action 1] -- Full compliance with version 2.5 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00037,Q00044 Responses to Action 2] -- non-technically-constrained intermediate certificates must be [http://ccadb.org/cas/intermediates disclosed in CCADB] within one week of creation. '''New requirements''' for [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained technical constraints on intermediate certificates issuing S/MIME certificates].
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00038,Q00045 Responses to Action 3] -- Annual updates via [http://ccadb.org/cas/updates CCADB Audit Cases]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00050,Q00051 Responses to Action 4] -- Reiterate [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#audit-parameters audit requirements] and '''penalty for incomplete audit statements'''
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00039,Q00046 Responses to Action 5] -- Perform a [[CA/BR_Self-Assessment|BR Self Assessment]]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00042,Q00048 Responses to Action 6] -- Provide tested email address for [https://ccadb.my.salesforce-sites.com/mozilla/CAInformationReport Problem Reporting Mechanism]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00040,Q00047 Responses to Action 7] -- Follow new developments and effective dates for [http://tools.ietf.org/html/rfc6844 Certification Authority Authorization (CAA)]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId=Q00052,Q00053 Responses to Action 8] -- Check [https://groups.google.com/d/msg/mozilla.dev.security.policy/4kj8Jeem0EU/GvqsgIzSAAAJ issuance of certs to .tg domains] from October 25 to November 11, 2017.
 
== May 2017 - Announcing CCADB Changes ==
<br />
Subject: Common CA Database (CCADB) changes May 19-21, 2017
<br /><br />
Message:<br /><br />
Dear Certification Authority,
<br />
<br />
The Common CA Database (CCADB) will undergo the following changes this weekend, May 19 to May 21. During this time, the old URLs listed below will stop working, and there will be some time when the CCADB is in read-only mode.
<br />
<br />
On May 19 the following three breaking changes are planned, meaning that the old URLs will no longer work. Any links or bookmarks to these URLs will need to be updated. After these changes are made, I will also update Mozilla's wiki pages to point to the new URLs.
<br />
<br />
1) The CA login page and the domain CAs see when they are logged into the CCADB will change.
<br />
https://mozillacacommunity.force.com/
<br />
will be changed to
<br />
https://ccadb.force.com/
<br />
<br />
2) The links to reports that are published directly from the CCADB will change.
<br />
https://mozillacaprogram.secure.force.com/CA/
<br />
will be changed to
<br />
https://ccadb-public.secure.force.com/mozilla/
<br />
<br />
3) The links to CA communication responses that are published directly from the CCADB will change.
<br />
https://mozillacaprogram.secure.force.com/Communications
<br />
will be changed to
<br />
https://ccadb-public.secure.force.com/Surveys
<br />
<br />
Then on May 21 between 12am and 4am PDT, the CCADB will be in read-only mode while Salesforce performs an instance refresh to upgrade the infrastructure supporting the CCADB instance in their data centers.
<br />
<br />
Regards,
<br />
Kathleen
 
== April 2017 ==
 
Note: The deadline to reply to this survey has [https://groups.google.com/d/msg/mozilla.dev.security.policy/03rdTdnm7iw/NQUHmWOcEAAJ been extended] by one week, to May 5, 2017.
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a05o000003WrzBC Read-only copy of April 2017 CA Communication]
** CAs: This link is '''Read Only'''. To submit your response, you must [https://ccadb.force.com/CustomLogin login to the CCADB], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2017 CA Communication' survey. Make sure you click on the 'Submit' button at the bottom of the survey, and make sure you get a good 'survey submitted' response -- there are required fields.
 
Dear Certification Authority,
 
This survey requests a set of actions on your behalf, as a participant in [[CA:IncludedCAs|Mozilla's CA Certificate Program]].
 
To respond to this survey, [https://mozillacacommunity.force.com/CustomLogin login to the Common CA Database (CCADB)], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'April 2017 CA Communication' survey. Please enter your response by April 28, 2017.
 
A compiled list of CA responses to the survey action items will be automatically and immediately published by the CCADB system.
 
In addition to responding to the action items in this survey, we are instituting a program requirement that you follow discussions in the [https://www.mozilla.org/en-US/about/forums/#dev-security-policy mozilla.dev.security.policy] forum, which includes discussions about upcoming changes to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy], questions and clarification about policy and expectations, root certificate [[CA|inclusion/change requests]], and certificates that are found to be non-compliant with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements] or other program requirements. You are not required to contribute to those discussions, only to be aware of them. However, we hope you will participate and help shape the future of Mozilla's CA Certificate Program.
 
Participation in [[CA:Overview|Mozilla's CA Certificate Program]] is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,<br />
Kathleen Wilson<br />
Mozilla CA Program Manager
 
=== April 2017 Responses ===
 
The reports in the following links are automatically generated from data in the [[CA:CommonCADatabase|Common CA Database]].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00015,Q00030 Responses to Action 1] -- Domain Validation
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00016,Q00025 Responses to Action 2 and Action 10] -- Yearly CP/CPS Updates, Test Tools
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00022,Q00029 Responses to Action 3] -- Updated Mozilla CA Certificate Policy
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00017,Q00031 Responses to Action 4] -- Audit Statements, annual updates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00018,Q00032 Responses to Action 5] -- Audit Statement Contents
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00021,Q00033 Responses to Action 6] -- Qualified Audit Statements
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00019 Responses to Action 7] -- BR Compliance Bugs
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00020&QuestionIdForText=Q00026 Responses to Action 8] -- Confirm Completion of Previous Commitments
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00027 Responses to Action 9] -- Registration Authorities
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00016,Q00025 Responses to Action 10 and Action 2] -- Yearly CP/CPS Updates, Test Tools
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00023 Responses to Action 11] -- Certification Authority Authorization (CAA)
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00028 Responses to Action 12] -- Problem Reporting Mechanism
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00024 Responses to Action 13] -- SHA-1 and S/MIME
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00034 Responses to Action 14] -- Certificate Validity Periods in TLS/SSL Certs
 
== March 2016 ==
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommunicationSurveySample?CACommunicationId=a05o000000iHdtx Read-only copy of March 2016 CA Communication]
 
Dear Certification Authority,
 
This survey requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program, by April 22, 2016.
 
To respond to this survey, please login to the [[CA:SalesforceCommunity|CA Community in Salesforce]], then click on the 'COMMUNICATIONS' tab in the 'My CA' page, and select the 'March 2016 CA Communication' survey. Please enter your response by April 22, 2016.
 
A compiled list of CA responses to the survey action items will be [[CA:Communications#March_2016_Responses|automatically and immediately published]] by Salesforce.
 
In addition to responding to the action items in this survey, we request that you follow and contribute to discussions in the [https://groups.google.com/forum/#!forum/mozilla.dev.security.policy mozilla.dev.security.policy] forum, which includes discussions about [[CA:CertificatePolicyV2.3|upcoming changes to Mozilla's CA Certificate Policy]], questions and clarification about policy and expectations, root certificate [[CA:Schedule|inclusion/change requests]], and certificates that are found to be non-compliant with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]. Your contributions to the discussions will help shape the future of [[CA:Overview|Mozilla's CA Certificate Program]].
 
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,
 
Kathleen Wilson, Mozilla CA Program Manager
 
=== March 2016 Responses ===
 
The following links are automatically generated from data in the [[CA:SalesforceCommunity|CA Community in Salesforce]].
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommSummaryReport?CommunicationID=a05o000000iHdtx CA Responses to March 2016 CA Communication]
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00001,Q00013 Responses to Action #1a] -- SHA-1 Deprecation dates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00002,Q00014 Responses to Action #1b] -- SHA-1 Deprecation dates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00010&QuestionIdForText=Q00011 Responses to Action #1c] -- SHA-1 Deprecation
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00004 Responses to Action #2] -- Entering intermediate certificate data into the CA Community in Salesforce
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00005 Responses to Action #3] -- Entering revoked intermediate certificate data into the CA Community in Salesforce
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00006&QuestionIdForText=Q00007 Responses to Action #4] -- [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Removing workarounds]] to compatibility issues that were encountered involving certificates that did not conform to the Baseline Requirements.
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00008 Responses to Action #5] -- Plans to remove old/retired root certificates
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00009 Responses to Action #6] -- Confirmation of understanding that all certificates, including test certificates, must conform to stated policies
* [https://ccadb.my.salesforce-sites.com/Surveys/CACommResponsesOnlyReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00012 Responses to Action #7] -- [[CA:RootTransferPolicy|Mozilla's Root Transfer Policy]]
 
== May 2015 ==
 
Dear Certification Authority,
 
This email requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. Please reply by June 5, 2015, with your response to the action items by clicking on the survey link below. A compiled list of CA responses to these action items will be published.
 
Certification Authority: <CA Account Name>
 
Your Survey Link:
* [https://ccadb.my.salesforce-sites.com/Surveys/TakeSurvey?id=a04o000000M89RCAAZ&cId=&caId=none Survey Link] -- '''IMPORTANT: CA's do NOT use the link in this wiki page! This link will NOT record your response. Please use the link that was emailed to you.'''
 
Please use the above link to read and respond to the action items. Note that you may access the above link multiple times to update your responses.
 
Additionally, we plan to update Mozilla's CA Certificate Policy soon, and will be discussing proposed policy updates in the mozilla.dev.security.policy forum, https://www.mozilla.org/en-US/about/forums/#dev-security-policy. We encourage you to monitor the discussions to see how the updates will impact you, and your participation in the discussions will help shape the policy updates.
 
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,
 
Kathleen Wilson,
Mozilla
CA Program Manager
 
=== May 2015 Responses ===
 
* [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ CA Responses to May 2015 CA Communication]
* [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%233:%20After%20January%201,%202016 Responses to Action #3] -- SHA-1 Deprecation Plans
* [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented Responses to Action #4] -- Removing workarounds implemented to allow mozilla::pkix to handle the things listed here https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix.
* [https://ccadb.my.salesforce-sites.com/Surveys/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%235:%20We%20wish%20to%20understand%20what%20support Responses to Action #5] -- IPv6 survey
 
== May 2014 ==
 
Subject: Mozilla Communication: Action requested by May 30, 2014
 
Dear Certification Authority,
 
This note requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. Please reply by May 30, 2014, with your response to these action items. A compiled list of CA responses to the following action items will be published.
 
CA Certificate Inclusion Policy: http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/
 
CA Certificate Maintenance Policy: http://www.mozilla.org/about/governance/policies/security-group/certs/policy/maintenance/
 
Spreadsheet of included root certificates: http://www.mozilla.org/about/governance/policies/security-group/certs/included/
 
1) Ensure that Mozilla’s [http://www.mozilla.org/about/governance/policies/security-group/certs/included/ spreadsheet of included root certificates] has the correct link to your most recent audit statement, and that the date of the audit statement is correct. As per [http://www.mozilla.org/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla's CA Certificate Maintenance Policy], we require that all CAs whose certificates are distributed with our software products provide us an updated statement annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties. To notify us of an updated statement of attestation, send email to certificates@mozilla.org or [https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates submit a bug report] into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product.
If you are not proactively sending Mozilla your updated audit statements, please create a process to do so.
 
Please respond with one of the following:
* A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent audit statement, and the audit statement date is correct.
* B) Here is the most recent audit statement for our certificates that are included in Mozilla’s CA program: <insert link here>
* C) We plan to send Mozilla our current audit statement by <insert date here>.
* D) We do not have a current audit statement for this root certificate, because <explain reason -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed>.
 
2) Send Mozilla the link to your most recent [https://cabforum.org/about-the-baseline-requirements/ Baseline Requirements] audit statement. Details about Mozilla's audit requirements are listed in section 11 of [http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. The Baseline Requirements audit statement should also be proactively sent to Mozilla each year, along with the other audit statements as described in action #1.
 
Please respond with one of the following:
* A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent Baseline Requirements audit statement.
* B) Here is the most recent Baseline Requirements audit statement for our certificates that are included in Mozilla’s CA program: <insert link here>.
* C) We plan to send Mozilla our current Baseline Requirements audit statement by <insert date here and explain reason for delay>.
* D) The websites (SSL/TLS) trust bit is not enabled for our certificates that are included in Mozilla's CA program.
* E) We do not have a current Baseline Requirements audit statement for this root certificate, because <explain reason -- If phasing out use of the root then indicate date when the certs expire or when the root may be removed>.
 
3) Test Mozilla's new Certificate Verification library with your CA hierarchies and inform your customers of the upcoming changes as needed.
The new Certificate Verification library (mozilla::pkix) was announced here: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ .
Mozilla::pkix includes some changes in support of current best practices and policies, as listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes .
How to test: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing .
 
Please respond with one of the following:
* A)  We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix.
* B) We have found the following issues when testing certificates in our CA hierarchy with mozilla::pkix. <descriptions or Bugzilla bug numbers, related URLs and/or certificates>
* C) We are testing certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and plan to send Mozilla our results by <insert date here, must be before June 30, 2014>.
 
4) Check your certificate issuance to confirm that no new certificates will be issued with the problems listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
 
Please respond with one of the following:
* A) We have not and will not issue certificates with any of the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page.
* B) We have previously issued certificates with the following problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page: <list the problems that needed to be fixed>.  The last of those certificates expire <insert dates here, one date per problem>. We will not issue new certificates with the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page as of this date: <date when your operations will be updated, no later than June 30, 2014>
 
5) Send Mozilla information about your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, as per Items #8, 9, and 10 of [http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy].
 
Please provide a URL to a web page or a Bugzilla Bug Number that lists all of your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, and contains the required information according to section 10 of Mozilla's CA Certificate Inclusion Policy. If you decide to use the mozilla.org Bugzilla system to provide this information, then file the bug against the "CA Certificates" component of the "mozilla.org" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates)
 
Additionally, please respond with one of the following:
* A) All subordinate CA certificates chaining up to our certificates in Mozilla's CA program are either disclosed as requested above, or are technically constrained according to section 9 of Mozilla's CA Certificate Inclusion Policy.
* B) We request an extension for the following specific subordinate CA certificates, because these subordinate CAs need more time to transition from their legacy systems to their new CA hierarchy: <list of issuer hash, issuer public key hash, and certificate serial number>. For each subordinate CA who needs to operate in their legacy design a little longer, the attached document explains the reason that continued operation is needed and their target date for resolution. <attach document(s) to response>
 
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank  communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,
 
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
 
=== May 2014 Responses ===
 
[https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml CA Responses to May 2014 Communication]
 
== July 2013 ==
 
Subject: Mozilla Communication: Action requested by August 16, 2013
 
Dear Certification Authority,
 
Mozilla’s CA Certificate Policy has been updated with a few important changes. This update was motivated by security concerns regarding ICANN granting applied-for new gTLD strings. Additionally, we want to make it very clear that there will be serious consequences if it is found that a CA has knowingly or intentionally mis-issued certificates chaining to trust anchors in Mozilla’s program.
 
Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.
 
Please carefully review the following wiki page for information about the changes introduced in version 2.2 of Mozilla’s CA Certificate Policy.
 
https://wiki.mozilla.org/CA:CertificatePolicyV2.2
 
This note requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. Please reply by August 16, 2013, with your response to the following action items.
 
1) Update your CA operations and policies to include the CA/Browser Forum’s Baseline Requirement #11.1.4 regarding new gTLD domains, and subscribe to ICANN’s new gTLD Registry Agreement notification mailing list at: https://mm.icann.org/mailman/listinfo/gtldnotification
 
Please respond with one of the following:
* A) No action required, because we have not and will not issue SSL certificates with internal or private domain names chaining up to root certificates that are included in Mozilla’s program.
* B) We have issued or may issue SSL certificates with internal or private domain names that chain up to root certificates that are included in Mozilla’s program, so we are implementing Baseline Requirement #11.1.4, and will subscribe to ICANN’s notification service regarding applied-for-gTLD strings. We plan to have this completed by September 16, 2013.
* C) We have already implemented Baseline Requirement #11.1.4, and have subscribed to ICANN’s notification service regarding applied-for-gTLD strings.
 
2) Review your CA operations and customers to ensure that there are no certificates chaining up to your trust anchors that are included in Mozilla’s program that may be used for MITM or “traffic management” of domain names or IP addresses that the certificate holder does not own or control. [http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html Mozilla’s CA Certificate Enforcement Policy] has been updated to make it clear that Mozilla will not tolerate this use of publicly trusted certificates.
 
Please respond with:
* “We have reviewed Mozilla’s updated CA Certificate Enforcement Policy and understand that knowing or intentional mis-issuance of a certificate is expressly against Mozilla’s CA Certificate Policy and could result in removal of all of our certificates from Mozilla’s products.”
 
3) Ensure that your CA’s information in Mozilla’s spreadsheet of included root certificates is accurate and current, including links to the CP/CPS documents, audit statements, and test websites. Mozilla will be adding a column to this spreadsheet to indicate the date of the most recent audit statement for each root certificate.
 
http://www.mozilla.org/projects/security/certs/included/index.html
 
Please respond with one of the following:
* A) Our CA’s information in Mozilla’s spreadsheet of included root certificates is accurate and current for all of our included certificates.
* B) Here is the current information for our certificates that are included in Mozilla’s program: <insert data here>
 
4) Complete the action items from Mozilla’s January CA Communication.
* https://wiki.mozilla.org/CA:Communications#January_10.2C_2013
* https://wiki.mozilla.org/CA:Communications#January_2013_Responses
 
Please respond with one of the following:
* A) Our recorded response to the January CA Communication is complete and correct.
* B) We have the following updated status for our response to the January CA Communication: <insert data here>
 
5) Follow discussion about the changes to policy and code that Mozilla will be making in order to improve how revocation checking is handled in Firefox. Discussions will be held in the mozilla.dev.security.policy forum, and descriptions of the changes that will be considered for both policy and code will be provided here: https://wiki.mozilla.org/CA:ImprovingRevocation
As part of this effort, Mozilla will be implementing a revocation list push mechanism in Firefox, which will push revocation lists of intermediate certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This will improve security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker. More information will follow, and policy will be added soon to require CAs to send Mozilla revocation information. We encourage CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates)
 
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,
Kathleen Wilson,
Module Owner of Mozilla's CA Certificates Module
 
 
=== July 2013 Responses ===
 
* [https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGR1TmZLZnJ1RThHRDcwMDJRaXZicFE&output=html CA Responses to July 2013 Communication]
 
== January 2013 ==
 
Subject: Mozilla Communication: Action requested by January 31, 2013. 
 
Dear Certification Authority,
 
This note requests a set of actions on your behalf, as a participant in Mozilla's CA Certificate Program. Please reply by January 31, 2013, with your response to these action items. A compiled list of CA responses to the following action items will be published.
 
1) Review the proposed changes to Mozilla’s CA Certificate Policy, and assess the impact of those changes to your CA operations.
 
Version 2.1 of Mozilla’s CA Certificate Policy is in final review, and will be ratified and published in Q1 of 2013. There are changes to the policy that may impact your current operations, so we encourage you to review the changes that are indicated in red or bold text here:
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html
 
There will be a transition period for CAs to bring existing customers into compliance with the new policy, as described here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Updated_Policy_Version_2.1
 
Please respond to this action item with one of the following:
* a) The proposed updates to Mozilla’s CA Certificate Policy do not require further change to our CA operations, because our CA operations already comply with the proposed policy.
* b) The proposed changes to Mozilla’s CA Certificate Policy impact our CA operations, but we will be able to complete the transition within the allotted time frame.
* c) We will not be able to update our CA operations to comply with the proposed version 2.1 of Mozilla’s CA Certificate Policy within the allotted time frame, because <insert reason(s)>. We plan to meet the new requirements by <insert date>.
 
2) Confirm compliance with the CA/Browser Forum’s Baseline Requirements.
 
The CA/Browser Forum (http://www.cabforum.org) released the "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates,” which became effective on July 1, 2012. It is our expectation that as of January 2013 CA issuance of SSL certificates will be audited against these Baseline Requirements as well as the acceptable audit criteria that are listed in Mozilla’s CA Certificate Policy.
 
Please respond to this action item with one of the following:
* a) Our CA operations conform to the CA/Browser Forum’s Baseline Requirements for issuance of SSL certificates, and our next audit will include verification of this conformance.
* b) Not applicable, because we do not issue SSL certificates.
* c) We are working towards compliance with the CA/Browser Forum’s Baseline Requirements, but we need to complete <insert list of tasks>. We plan to have this completed by <insert date>.
 
3) Scan your certificate database for certificates that incorrectly have basicConstraints with the cA boolean set to true, or are incorrectly enabled with the keyCertSign Key Usage bit.
 
Due to the recent incident in which a mis-issued intermediate certificate was found (https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates), we are concerned that CAs may have responded to our last communication based on their policies, rather than checking their certificate databases. Therefore, we request that you scan your certificate database and inform Mozilla if you find any un-expired intermediate certificates in your CA hierarchy that should not be trusted. In your reply, please attach all such intermediate certificates, even if you have already revoked them.
 
While you are scanning your certificate databases to ensure that all certificates with basicConstraints:CA:TRUE have been issued in accordance with your CPS, please also check for compliance with the following practices.
* All certificates with basicConstraints:CA:TRUE have the basicConstraints marked critical.
* All intermediate certificates with basicConstraints:CA:TRUE have cRLDistributionPoints containing a well-formed and compliant URL that returns a valid CRL.
* All certificates that share a common issuer name contain unique serial numbers (independent of certificate expiration).
* All end-entity certificates with RSA key sizes smaller than 2048 bits expire no later than December 2013.
* Certificates are not issued with sequential serial numbers. If it is found that certificates have been issued with contiguous serial numbers, then the subject of those certificates must contain unpredictable data that is not under the control of the certificate subscriber.
 
Please respond to this action item with one of the following:
* a) We have scanned our certificate database, and confirm that there are no un-expired intermediate certificates in our CA hierarchy that should not be trusted. We have also checked our certificate database to confirm that all of the non-expired certificates have been issued in accordance with the listed practices.
* b) We have scanned our certificate database, and confirm that there are no un-expired intermediate certificates in our CA hierarchy that should not be trusted. We have also checked our certificate database regarding the listed practices and have found the following variances <list which practices are not met>. Problematic certificates will be revoked and replaced by <insert date>.
* c) We have scanned our certificate database, and have found that the attached certificates should not be trusted. <Attach the certificates to the email>. We have also checked our certificate database to confirm that all of the non-expired certificates have been issued in accordance with the listed practices.
* d) We have scanned our certificate database, and have found that the attached certificates should not be trusted. <Attach the certificates to the email>. We have also checked our certificate database regarding the listed practices and have found the following variances <list which practices are not met>. Problematic certificates will be revoked and replaced by <insert date>.
 
4) Deprecate issuance of SSL certificates containing a Reserved IP Address or Internal Server Name.
 
The CA/Browser Forum’s Baseline Requirements state:
“As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016.”
 
This practice is being eliminated for security reasons, so we encourage all CAs to begin working with their customers to transition to alternative arrangements, and to stop issuing SSL certificates containing Reserved IP Addresses or Internal Server Names as soon as possible rather than waiting until the deadline.
 
Please respond to this action item with one of the following:
* a) We do not issue SSL certificates that chain up to a root certificate that is included in Mozilla's CA Certificate Program and that contain Reserved IP Addresses or Internal Server Names.
* b) We plan to stop issuing SSL certificates containing Reserved IP Addresses or Internal Server Names by <insert date>.
 
5) For each root certificate or trust anchor you control that is included in Mozilla’s CA Certificate Program and has the SSL trust bit enabled by default, please provide a URL to a website (which may be a test site) whose SSL certificate chains up to it. We expect this website to endure for the lifetime of the root, or until you notify us of an alternative URL. The website does not need to support high traffic loads or have greater than 99% uptime.
 
Participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your cooperation in this pursuit.
 
Regards,
Kathleen Wilson,
Module Owner of Mozilla's CA Certificates Module
 
=== January 2013 Responses ===
 
[https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHdISmM3c05tb1dMQjlJclJqS21QNmc&output=html CA Responses to January 2013 Communication] -- Contains two spreadsheets: "Action Item Responses" and "Test Website URLs".
 
== February 2012 ==


Subject: Mozilla Communication: Action requested by March 2, 2012
Subject: Mozilla Communication: Action requested by March 2, 2012
Line 42: Line 718:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


==== Responses ====
=== February 2012 Responses ===


[https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGxsWlZEdGFDaW9JTlNTUGxBNWhqSlE&output=html CA Responses] -- spreadsheet of the responses to the action items of the CA Communication that was sent on February 17, 2012.
[https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGxsWlZEdGFDaW9JTlNTUGxBNWhqSlE&output=html CA Responses] -- spreadsheet of the responses to the action items of the CA Communication that was sent on February 17, 2012.
Disclaimer: Please [mailto:kwilson@mozilla.com let me know] if you notice an error in the data in this spreadsheet, and I will be happy to address it.


Response Key:
Response Key:
* Responses to action #1 are A, B, C, D, and/or E, as described above. If option C is listed, there is also a date by which the CA plans to complete their investigation and provide further information.
* IP = "In Progress"
* IP = "In Progress"
* ? = I need further clarification on the response
* ? = I need further clarification on the response
Line 55: Line 728:
** N/A for Action #2 means that the CP/CPS does not allow for externally-operated subCAs.
** N/A for Action #2 means that the CP/CPS does not allow for externally-operated subCAs.
** N/A for Action #3 means that the CA is not issuing EV certs under the roots included in NSS.
** N/A for Action #3 means that the CA is not issuing EV certs under the roots included in NSS.
* Responses to action #1 can be one or more of the following. If option C is listed, there is also a date by which the CA plans to complete their investigation and provide further information.
** A) Does not apply, because the CA does not have externally-operated subCAs chaining to roots in NSS.
** B) SubCAs are technically and/or contractually restricted to only issue certificates to domains that they legitimately own or control, and they are specifically not allowed to use their subordinate certificates for the purpose of MITM.
** C) The CA is reviewing all of their subCAs and will take the necessary action by <date>.
** D) The CA has revoked such subCA certificates, and provided the requested information.
** E) SubCAs are publicly disclosed to Mozilla, audited by a competent party (per Mozilla’s CA Certificate Policy) whose audit result has been publicly disclosed to Mozilla, and technically and/or contractually restricted to issue certificates in full compliance with Mozilla's CA Certificate Policy. SubCAs are specifically not allowed to use their subordinate certificates for the purpose of MITM.
== September 2011 ==


=== September 8, 2011 ===
Subject: Mozilla Communication: Immediate action requested
Subject: Mozilla Communication: Immediate action requested


Line 91: Line 771:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


=== April 15, 2011 ===
== April 2011 ==
 
Subject: Mozilla Communication: Policy Discussions are in Progress that may Impact Your CA
Subject: Mozilla Communication: Policy Discussions are in Progress that may Impact Your CA


Line 113: Line 794:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


=== February 8, 2011 ===
== February 2011 ==
 
Subject: Mozilla Communication: Version 2.0 of Mozilla CA Certificate Policy has been published
Subject: Mozilla Communication: Version 2.0 of Mozilla CA Certificate Policy has been published


Line 138: Line 820:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


=== January 13, 2011 ===
== January 2011 ==
 
Subject: Mozilla Communication: Major Pending Update to Mozilla CA Certificate Policy
Subject: Mozilla Communication: Major Pending Update to Mozilla CA Certificate Policy


Line 166: Line 849:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


=== October 11, 2010 ===
== October 2010 ==
 
Subject: Mozilla Communication to CAs regarding Policy updates, October 2010
Subject: Mozilla Communication to CAs regarding Policy updates, October 2010


Line 190: Line 874:
Module Owner of Mozilla's CA Certificates Module
Module Owner of Mozilla's CA Certificates Module


=== May 12, 2010 ===
== May 2010 ==
 
Subject: Mozilla Communication: Acceptable Addresses for Domain Control Validation
Subject: Mozilla Communication: Acceptable Addresses for Domain Control Validation


Line 227: Line 912:
Kathleen Wilson
Kathleen Wilson


=== November 23, 2009 ===
== November 2009 ==
 
Subject: Mozilla Communication: SSL certificates issued to internal domain names  
Subject: Mozilla Communication: SSL certificates issued to internal domain names  


Bwilson
Confirmed users
377

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/404274...1247896"