[Mozilla] New - Mozilla CA Certificate Policy Mozilla Security Blog: Announcing Version 2.1 of Mozilla CA Certificate Policy
M. Coates, Director of Security Assurance - Feb 15, 2013
quote: ...continue reading.
Mozilla released version 2.1 of the Mozilla CA Certificate Policy. This version adds a requirement for either the technical constraint or the audit of subordinate CA certificates, and requires CAs who issue SSL certificates to comply with the CA/Browser Forum Baseline Requirements.
Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. Version 2.1 of Mozillas CA Certificate Policy encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozillas CA Certificate Policy.
All subordinate CA certificates that are issued after May 15, 2013 must comply with version 2.1 of Mozillas CA Certificate Policy, and all pre-existing subordinate CA certificates must be updated to comply with version 2.1 of Mozillas CA Certificate Policy for new certificate issuance by May 15, 2014. This time frame takes into account the impact that the new requirements might have on large enterprise subordinate CAs who may need to plan and budget for new infrastructure and audits.