I would like to remind everyone about when these requirements for non-technically-constrained intermediate certificates came into effect for CAs in Mozilla’s program according to previous versions of Mozilla’s Root Store Policy[1] and previous CA Communications[2].

February 2013: Mozilla published version 2.1 of its CA Certificate Inclusion Policy[3], which introduced clauses #8, 9, and 10 requiring that intermediate certificates must either be technically constrained or be audited and publicly disclosed. Clause 11 added the requirement for BR audits (ETSI: DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements, WebTrust: and "SSL Baseline Requirements Audit Criteria V1.1" (as applicable to SSL certificate issuance)).

June 2017: Mozilla published version 2.5 of its Root Store Policy[4], which specified in section 3.1.4 that audit statements must contain the SHA256 fingerprint of each root and intermediate certificate that was in scope of the audit. The pre-existing requirement for public-facing audit statements (including BR audits) for non-technically-constrained intermediate certs continued to remain in effect as described in sections 3.1.2 and 5.3.

April 2017: Mozilla sent a CA Communication requiring response from all CAs[5] that stated that all audit statements submitted to Mozilla must be public-facing (not confidential), provided in English, and must include the SHA1 or SHA256 fingerprint of each certificate issuer covered by the audit scope.

November 2017: Mozilla sent a CA Communication requiring response from all CAs[6] that had action items to review and confirm compliance with version 2.5 of Mozilla's Root Store Policy and clarified that each audit statement must include the SHA-256 fingerprint for each root and intermediate certificate in scope of the audit.

September 2018: : Mozilla sent a CA Communication requiring response from all CAs[7] that stated that Mozilla would start rejecting audit statements that did not contain the required information. The communication also noted that version 2.6.1 of Mozilla’s Root Store policy added clarification to section 5.3.2 that newly-issued intermediates that are not technically constrained that have a currently valid audit report at the time of creation of the certificate, must appear on the CA's next periodic audit reports.


[6] [7]

dev-security-policy mailing list

Reply via email to