All,
I propose adding the following bullet point to the list in
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates
"- A pre-existing subordinate CA certificate that expires before May 15,
2014 may be re-issued in order to extend the validity period of the
currently-valid intermediate CA certificate until May 15, 2014. That is,
the replacement certificate's notAfter date would be May 15, 2014 or
earlier."
Please see the background information below -- it is a message I sent to
the CA/Browser Forum Public list today.
I will appreciate your constructive feedback on this.
Thanks,
Kathleen
--
All,
I would like to clarify a couple of things regarding the grace periods
that Mozilla established for complying with version 2.1 of Mozilla’s CA
Certificate Policy.
As a reminder, the requirement to comply with the Baseline Requirements
was added to version 2.1 of Mozilla’s CA Certificate Policy, which was
published in February 2013. Recognizing that CAs would need time to
transition their own operations as well as their subordinate CA
customers to this new policy, Mozilla granted the following grace periods.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
“As of February 2013, SSL certificate issuance must also be audited
according to the Baseline Requirements (BRs), as described above. The
first BR audit for each CA and subCA may include a reasonable list of
BRs that the CA (or subCA) is not yet in compliance with. The second BR
audit (the following year) is expected to confirm that the issues that
were listed in the previous BR audit have been resolved.”
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates
“- All subordinate CA certificates that are issued after May 15, 2013
must comply with version 2.1 of the Inclusion Policy
- All pre-existing subordinate CA certificates must be updated to comply
with version 2.1 of the Inclusion Policy for new certificate issuance by
May 15, 2014.
- All certificates that are capable of being used to issue new
certificates must comply with version 2.1 of the Inclusion Policy for
new certificate issuance by May 15, 2014.”
Unfortunately, when creating these grace periods I overlooked the
situation where a currently-valid subordinate CA’s intermediate
certificate expires before May 15, 2014, but they need more time to
transition to their new CA hierarchy. Therefore, Mozilla wishes to
clarify that it is OK to re-issue externally-operated intermediate CA
certificates that are not yet fully compliant with the BRs in order to
extend the validity period of the currently-valid intermediate CA
certificate until May 15, 2014. That is, the replacement certificate's
notAfter date would be May 15, 2014 or earlier. If there are no concerns
about this, I will add it to the wiki page above (after discussing in
mozilla.dev.security.policy).
Also, note that version 1.1.6 of the BRs included BR 9.7 regarding
technically constraining subordinate CA certificates, and the effective
date of that version of the BRs is July 29, 2013. However, Mozilla’s
grace periods as previously stated and described above still stand.
Regards,
Kathleen
--
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
