CA/Root Store Policy Archive: Difference between revisions
< CA
Jump to navigation
Jump to search
(Update email TCSC compliance dates) |
m (→2.9: Updated publication date) |
||
| (26 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
==2.9== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.9/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): September 1, 2023 | |||
* Publication date (www.mozilla.org): September 12, 2023 | |||
* Effective (compliance) date: September 1, 2023 | |||
** For CAs capable of issuing email certificates, for audit periods ending after October 30, 2023, period-of-time audits must be performed in accordance WebTrust/ETSI criteria | |||
** For CAs capable of issuing TLS server certificates, compliance self-assessments must be submitted for “BR Audit Period End Dates” after December 31, 2023 | |||
* [https://github.com/mozilla/pkipolicy/pull/273/files List of changes and diff] | |||
==2.8.1== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.8.1/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): January 31, 2023 | |||
* Publication date (www.mozilla.org): February 10, 2023 | |||
* Effective (compliance) date: February 15, 2023 | |||
* [https://github.com/mozilla/pkipolicy/pull/265/files List of changes and diff] | |||
==2.8== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.8/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): April 26, 2022 | |||
* Publication date (www.mozilla.org): April 29, 2022 | |||
* Effective (compliance) date: June 1, 2022, except: | |||
** July 1, 2022: CAs SHALL NOT sign SHA-1 hashes over end entity certificates with an EKU extension containing the id-kp-emailProtection key purpose. | |||
** July 1, 2022: Name-constrained CA certificates that are technically capable of issuing working server or email certificates that were exempt from disclosure in previous versions of this policy MUST be disclosed in the CCADB. | |||
** October 1, 2022: | |||
*** CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs. | |||
*** CAs MUST be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist, and MUST provide CRL and OCSP services and responses in accordance with the policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist. | |||
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL. | |||
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options. | |||
** December 31, 2022: CA operators will need to maintain (in their online policy repository) all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store. | |||
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs. | |||
* [https://github.com/mozilla/pkipolicy/pull/245/files List of changes and diff] | |||
==2.7.1== | |||
* [https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.7.1/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): March 30, 2021 | |||
* Publication date (www.mozilla.org): April 12, 2021 | |||
* Effective (compliance) date: May 1, 2021, except: | |||
** October 1, 2021: CAs MUST validate dNSName or IPAddress in SAN/commonName within 398 days prior to certificate issuance | |||
** July 31, 2021: CAs MUST update section 4.9.12 of their CPSes to clearly specify the methods that parties may use to demonstrate private key compromise | |||
* [https://github.com/mozilla/pkipolicy/pull/223/files List of changes and diff] | |||
==2.7== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md Policy document], [https://github.com/mozilla/pkipolicy/blob/2.7/ccadb/policy.md Common CCADB Policy] | |||
* Publication date: December 10, 2019 | |||
* Effective (compliance) date: January 1, 2020, except: | |||
** April 1, 2020: CPs and CPSes published after this date MUST be structured according to RFC 3647 and MUST: | |||
*** Include at least every section and subsection defined in RFC 3647; and, | |||
*** Only use the words "No Stipulation" to mean that the particular document imposes no requirements related to that section; and, | |||
*** Contain no sections that are blank and have no subsections. | |||
** July 1, 2020: End-entity certificates MUST include an Extended Key Usage (EKU) extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. | |||
* [https://github.com/mozilla/pkipolicy/pull/199/files List of changes and diff] | |||
==2.6.1== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.6/rootstore/policy.md Policy document], [https://github.com/mozilla/pkipolicy/blob/2.6/ccadb/policy.md Common CCADB Policy] | |||
* Publication date: August 13, 2018 | |||
* Effective (compliance) date: August 13, 2018, except: | |||
** January 1, 2019: Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in newly created intermediate certificates as described in section 5.3 | |||
* [https://github.com/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92 List of changes and diff] | |||
==2.6== | |||
* [https://github.com/mozilla/pkipolicy/blob/0fef6af7ea0455bd350c489c3d35be4ee2ce2567/rootstore/policy.md Policy document], [https://github.com/mozilla/pkipolicy/blob/2.6/ccadb/policy.md Common CCADB Policy] | |||
* Publication date: June 29, 2018 | |||
* Effective (compliance) date: July 1, 2018, except: | |||
** January 1, 2019: Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in newly created intermediate certificates as described in section 5.3 | |||
* [https://github.com/mozilla/pkipolicy/pull/143/files List of changes and diff] | |||
==2.5== | ==2.5== | ||
| Line 35: | Line 111: | ||
* [https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md Policy document] | * [https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md Policy document] | ||
* Publication date: July 26, 2013 | * Publication date: July 26, 2013 | ||
* Compliance date: July 26, 2013 ([[CA | * Compliance date: July 26, 2013 ([[CA/CertificatePolicyV2.2#Time_Frames_for_included_CAs_to_comply_with_version_2.2_of_the_policy|more specific details]]) | ||
* List of changes: {{Bug|868144}} | * List of changes: {{Bug|868144}} | ||
==2.1== | ==2.1== | ||
* [[CA | * [[CA/CertPolicyV2.1|Policy document]] | ||
* Publication date: February 14, 2013 | * Publication date: February 14, 2013 | ||
* Compliance date: February 14, 2014 ([[CA | * Compliance date: February 14, 2014 ([[CA/CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy|more specific details]]) | ||
* Items considered: [[CA | * Items considered: [[CA/PolicyVersion2.1]] | ||
* List of changes: {{Bug|763758}} | * List of changes: {{Bug|763758}} | ||
==2.0== | ==2.0== | ||
* [[CA | * [[CA/CertificatePolicyV2.0|Policy document]] | ||
* Publication date: February 2, 2011 | * Publication date: February 2, 2011 | ||
* Compliance date: August 8, 2011 (Feb 2, 2011 for new root inclusions) | * Compliance date: August 8, 2011 (Feb 2, 2011 for new root inclusions) | ||
* Items considered: [[CA | * Items considered: [[CA/PolicyVersion2.0]] | ||
* List of changes: {{Bug|609945}} | * List of changes: {{Bug|609945}} | ||
==Earlier== | ==Earlier== | ||
* [[CA | * [[CA/CertificatePolicyV1.2|Version 1.2]] -- January 2008 | ||
* [[CA | * [[CA/CertificatePolicyV1.1|Version 1.1]] -- November 2007 | ||
* [[CA | * [[CA/CertificatePolicyV1.0|Version 1.0]] -- November 2005 | ||
* [[CA | * [[CA/CertificatePolicyV0.4|Version 0.4]] -- March 2004 | ||
Latest revision as of 03:50, 13 September 2023
2.9
- Policy document
- Finalized date (GitHub): September 1, 2023
- Publication date (www.mozilla.org): September 12, 2023
- Effective (compliance) date: September 1, 2023
- For CAs capable of issuing email certificates, for audit periods ending after October 30, 2023, period-of-time audits must be performed in accordance WebTrust/ETSI criteria
- For CAs capable of issuing TLS server certificates, compliance self-assessments must be submitted for “BR Audit Period End Dates” after December 31, 2023
- List of changes and diff
2.8.1
- Policy document
- Finalized date (GitHub): January 31, 2023
- Publication date (www.mozilla.org): February 10, 2023
- Effective (compliance) date: February 15, 2023
- List of changes and diff
2.8
- Policy document
- Finalized date (GitHub): April 26, 2022
- Publication date (www.mozilla.org): April 29, 2022
- Effective (compliance) date: June 1, 2022, except:
- July 1, 2022: CAs SHALL NOT sign SHA-1 hashes over end entity certificates with an EKU extension containing the id-kp-emailProtection key purpose.
- July 1, 2022: Name-constrained CA certificates that are technically capable of issuing working server or email certificates that were exempt from disclosure in previous versions of this policy MUST be disclosed in the CCADB.
- October 1, 2022:
- CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs.
- CAs MUST be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist, and MUST provide CRL and OCSP services and responses in accordance with the policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist.
- New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
- The CA operator's subscriber agreement for TLS server certificates must inform certificate subscribers about the revocation reason options, and tools must be updated to enable certificate subscribers to specify these revocation reason options.
- December 31, 2022: CA operators will need to maintain (in their online policy repository) all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store.
- July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.
2.7.1
- Policy document
- Finalized date (GitHub): March 30, 2021
- Publication date (www.mozilla.org): April 12, 2021
- Effective (compliance) date: May 1, 2021, except:
- October 1, 2021: CAs MUST validate dNSName or IPAddress in SAN/commonName within 398 days prior to certificate issuance
- July 31, 2021: CAs MUST update section 4.9.12 of their CPSes to clearly specify the methods that parties may use to demonstrate private key compromise
2.7
- Policy document, Common CCADB Policy
- Publication date: December 10, 2019
- Effective (compliance) date: January 1, 2020, except:
- April 1, 2020: CPs and CPSes published after this date MUST be structured according to RFC 3647 and MUST:
- Include at least every section and subsection defined in RFC 3647; and,
- Only use the words "No Stipulation" to mean that the particular document imposes no requirements related to that section; and,
- Contain no sections that are blank and have no subsections.
- July 1, 2020: End-entity certificates MUST include an Extended Key Usage (EKU) extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage.
- April 1, 2020: CPs and CPSes published after this date MUST be structured according to RFC 3647 and MUST:
- List of changes and diff
2.6.1
- Policy document, Common CCADB Policy
- Publication date: August 13, 2018
- Effective (compliance) date: August 13, 2018, except:
- January 1, 2019: Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in newly created intermediate certificates as described in section 5.3
- List of changes and diff
2.6
- Policy document, Common CCADB Policy
- Publication date: June 29, 2018
- Effective (compliance) date: July 1, 2018, except:
- January 1, 2019: Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in newly created intermediate certificates as described in section 5.3
- List of changes and diff
2.5
- Policy document, Common CCADB Policy
- The "Mozilla CCADB Policy" document is now part of the main Policy
- Publication date: June 23, 2017
- Compliance date: June 23, 2017, except:
- Technical constraints for email intermediates, which is (erratum) November 15, 2017 for existing non-qualifying intermediates to cease issuing, and April 15 2018 for them to be revoked or audited
- Using the Ten Blessed Methods for domain validation, which is July 21, 2017
- List of changes and diff
2.4.1
- Policy document, Common CCADB Policy, Mozilla CCADB Policy
- Publication date: March 31, 2017
- Compliance date: March 31, 2017 (except "CP/CPS in English", which is June 1, 2017)
- This version has no changes in normative requirements over version 2.4; it is a rearrangement and reordering of the existing policy.
2.4
- Policy document, Common CCADB Policy, Mozilla CCADB Policy
- Publication date: February 28, 2017
- Compliance date: February 28, 2017 (except "CP/CPS in English", which is June 1, 2017)
- List of changes and diff
2.3
- Policy document
- Publication date: December 19, 2016
- Compliance date: December 19, 2016
- List of changes and diff
2.2
- Policy document
- Publication date: July 26, 2013
- Compliance date: July 26, 2013 (more specific details)
- List of changes: bug 868144
2.1
- Policy document
- Publication date: February 14, 2013
- Compliance date: February 14, 2014 (more specific details)
- Items considered: CA/PolicyVersion2.1
- List of changes: bug 763758
2.0
- Policy document
- Publication date: February 2, 2011
- Compliance date: August 8, 2011 (Feb 2, 2011 for new root inclusions)
- Items considered: CA/PolicyVersion2.0
- List of changes: bug 609945
Earlier
- Version 1.2 -- January 2008
- Version 1.1 -- November 2007
- Version 1.0 -- November 2005
- Version 0.4 -- March 2004