Confirmed users
377
edits
CA/Root Store Policy Archive: Difference between revisions
CA/Root Store Policy Archive (view source)
Revision as of 03:50, 13 September 2023
, 13 September 2023→2.9: Updated publication date
(Clarified date for updating subscriber agreements and tools in regards to revocation reason options) |
m (→2.9: Updated publication date) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
==2.9== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.9/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): September 1, 2023 | |||
* Publication date (www.mozilla.org): September 12, 2023 | |||
* Effective (compliance) date: September 1, 2023 | |||
** For CAs capable of issuing email certificates, for audit periods ending after October 30, 2023, period-of-time audits must be performed in accordance WebTrust/ETSI criteria | |||
** For CAs capable of issuing TLS server certificates, compliance self-assessments must be submitted for “BR Audit Period End Dates” after December 31, 2023 | |||
* [https://github.com/mozilla/pkipolicy/pull/273/files List of changes and diff] | |||
==2.8.1== | |||
* [https://github.com/mozilla/pkipolicy/blob/2.8.1/rootstore/policy.md Policy document] | |||
* Finalized date (GitHub): January 31, 2023 | |||
* Publication date (www.mozilla.org): February 10, 2023 | |||
* Effective (compliance) date: February 15, 2023 | |||
* [https://github.com/mozilla/pkipolicy/pull/265/files List of changes and diff] | |||
==2.8== | ==2.8== | ||
| Line 14: | Line 32: | ||
*** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL. | *** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL. | ||
**** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options. | **** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options. | ||
** December 31, 2022: CA operators will need to maintain (in their online policy repository) all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store. | |||
** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs. | ** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs. | ||