CA/Communications: Difference between revisions
(Created page with "The following are communications that have been sent to Certification Authorities participating in Mozilla's root program. === September 8, 2011 === '''Subject:''' Mozilla Commu...") |
|||
| Line 2: | Line 2: | ||
=== September 8, 2011 === | === September 8, 2011 === | ||
Subject: Mozilla Communication: Immediate action requested | |||
Dear Certification Authority, | Dear Certification Authority, | ||
| Line 31: | Line 31: | ||
Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your participation in this pursuit. | Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your participation in this pursuit. | ||
Regards, | |||
Kathleen Wilson | |||
Module Owner of Mozilla's CA Certificates Module | |||
=== April, 2011 === | |||
Subject: Mozilla Communication: Policy Discussions are in Progress that may Impact Your CA | |||
Dear Certification Authority, | |||
On behalf of Mozilla, I am contacting you in regards to three important items that we would like to bring to your attention. | |||
1) The CA/Browser Forum has published a final draft of the document "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates." We are now hosting a discussion about this document in the mozilla.dev.security.policy forum. For more information, see http://cabforum.org/. | |||
The document is here: http://cabforum.org/Baseline_Requirements_Draft_30b.pdf | |||
Mozilla supports the CA/Browser Forum’s efforts in this area. After version 1.0 of the CA/Browser Forum’s Baseline Requirements document is published, we will have a discussion to add a requirement to the Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/) that CAs include the CA/Browser Forum Baseline Requirements in their policies, practices, and audits. Therefore, we urge you to review the draft of the Baseline Requirements, assessing the impact to your CA policies and practices, and participate in the current discussions about these requirements. The CA/Browser Forum has set the duration of this discussion to 45 days from April 11. | |||
2) Mozilla has begun discussions about the Phase 2 items to be considered for updating the Mozilla CA Certificate Policy, https://wiki.mozilla.org/CA:CertPolicyUpdates#Second_Phase. The current discussions are focused on RAs and Subordinate CAs. We recommend that you monitor and contribute to these discussions so that you are aware of how the potential changes to the Mozilla CA Certificate Policy may impact you. | |||
3) As per previous communications, we will implement a code change to stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates. After June 30, 2011, software published by Mozilla will return an error when a certificate with an MD5-based signature is used. Mozilla will take this action earlier and at its sole discretion if necessary to keep our users safe. For more information, please see https://wiki.mozilla.org/CA:MD5and1024. | |||
We look forward to your continued involvement and contributions to improving Mozilla’s CA Certificate Policy and practices. | |||
Regards, | Regards, | ||
Kathleen Wilson | Kathleen Wilson | ||
Module Owner of Mozilla's CA Certificates Module | Module Owner of Mozilla's CA Certificates Module | ||
Revision as of 18:05, 8 September 2011
The following are communications that have been sent to Certification Authorities participating in Mozilla's root program.
September 8, 2011
Subject: Mozilla Communication: Immediate action requested
Dear Certification Authority,
This note requests a set of immediate actions on your behalf, as a participant in the Mozilla root program.
Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates (https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up). If you ever have reason to suspect a security breach or mis-issuance has occurred at your CA or elsewhere, please contact security@mozilla.org immediately.
Please confirm completion of the following actions or state when these actions will be completed, and provide the requested information no later than September 16, 2011:
1) Audit your PKI and review your systems to check for intrusion or compromise. This includes all third party CAs and RAs.
2) Send a complete list of CA certificates from other roots in our program that your roots (including third party CAs and RAs) have cross-signed. A listing of all root certificates in Mozilla's products is here: http://www.mozilla.org/projects/security/certs/included
3) Confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance.
4) Confirm that you have automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Please further confirm your process for manually verifying such requests, when blocked.
5) For each external third party (CAs and RAs) that issues certificates or can directly cause the issuance of certificates within the hierarchy of the root certificate(s) that you have included in Mozilla products, either:
a) Implement technical controls to restrict issuance to a specific set of domain names which you have confirmed that the third party has registered or has been authorized to act for (e.g. RFC5280 x509 dNSName name constraints, marked critical)
OR
b) Send a complete list of all third parties along with links to each of their corresponding Certificate Policy and/or Certification Practice Statement and provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations.
Each action requested above applies both to your root and to these third parties.
Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your participation in this pursuit.
Regards, Kathleen Wilson Module Owner of Mozilla's CA Certificates Module
April, 2011
Subject: Mozilla Communication: Policy Discussions are in Progress that may Impact Your CA
Dear Certification Authority,
On behalf of Mozilla, I am contacting you in regards to three important items that we would like to bring to your attention.
1) The CA/Browser Forum has published a final draft of the document "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates." We are now hosting a discussion about this document in the mozilla.dev.security.policy forum. For more information, see http://cabforum.org/. The document is here: http://cabforum.org/Baseline_Requirements_Draft_30b.pdf
Mozilla supports the CA/Browser Forum’s efforts in this area. After version 1.0 of the CA/Browser Forum’s Baseline Requirements document is published, we will have a discussion to add a requirement to the Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/) that CAs include the CA/Browser Forum Baseline Requirements in their policies, practices, and audits. Therefore, we urge you to review the draft of the Baseline Requirements, assessing the impact to your CA policies and practices, and participate in the current discussions about these requirements. The CA/Browser Forum has set the duration of this discussion to 45 days from April 11.
2) Mozilla has begun discussions about the Phase 2 items to be considered for updating the Mozilla CA Certificate Policy, https://wiki.mozilla.org/CA:CertPolicyUpdates#Second_Phase. The current discussions are focused on RAs and Subordinate CAs. We recommend that you monitor and contribute to these discussions so that you are aware of how the potential changes to the Mozilla CA Certificate Policy may impact you.
3) As per previous communications, we will implement a code change to stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates. After June 30, 2011, software published by Mozilla will return an error when a certificate with an MD5-based signature is used. Mozilla will take this action earlier and at its sole discretion if necessary to keep our users safe. For more information, please see https://wiki.mozilla.org/CA:MD5and1024.
We look forward to your continued involvement and contributions to improving Mozilla’s CA Certificate Policy and practices.
Regards, Kathleen Wilson Module Owner of Mozilla's CA Certificates Module