CA/Required or Recommended Practices

From MozillaWiki
< CA(Redirected from CA:Recommended Practices)
Jump to: navigation, search

This page contains a set of practices for CAs wishing to have their root CA certificates included in Mozilla products. In some cases these practices are required by the Mozilla Root Store Policy and so are mandatory for a CA to have its root certificate(s) included. They are listed here because they are things CAs often get wrong. In other cases the practices are only recommended, but will help speed up a CA's application for inclusion and maximize the chances of its application being approved.

Required Practices

Publicly Available CP and CPS

A Certificate Policy (CP) is a named set of rules that indicate the applicability of a certificate to a particular community and/or class of applications with common security requirements. A Certification Practices Statement (CPS) is a document that describes the practices that a Certification Authority (CA) employs in issuing, managing, revoking, and renewing or re-keying certificates. CAs must supply a complete CPS, or also a CP, or a combined CP/CPS ("CP/CPS" herein) containing sufficient information to determine whether and how the CA complies with Mozilla policy requirements.

  • The CP/CPS must be publicly available from the CA's official web site.
  • The CP/CPS must clearly indicate which root and subordinate certificates the practices and processes described in those documents apply to.
  • The format of the CP/CPS must be PDF or another suitable format for reading documents. CAs should not use Microsoft Word or other formats intended primarily for editable documents.
  • The CP/CPS must be available in an English version. The non-English version may be authoritative (as that's the working language of the CA) but the CA is responsible for ensuring that the translation is not materially different from the authoritative version of the document.
  • As part of the inclusion process and the CA Compliance Self-Assessment, CAs must provide the CP/CPS sections that address the requirements of Mozilla policy and the Baseline Requirements.
CP/CPS Revision Table

Section 3.3 of Mozilla's Root Store Policy requires that a CA review and update its CP/CPS at least once every twelve months. CAs must "indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the document." This is also required by section 2.3 of the Baseline Requirements.

CAA Domains listed in CP/CPS

Section 2.2 of the BRs states: "Section 4.2 of a CA’s Certificate Policy and/or Certification Practice Statement SHALL state the CA’s policy or practice on processing CAA Records for Fully‐Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognizes in CAA “issue” or “issuewild” records as permitting it to issue."

BR Commitment to Comply statement in CP/CPS

For root certificates with the Websites (TLS/SSL) trust bit enabled, Mozilla requires that the corresponding CP/CPS documents include a statement of commitment to comply with the CA/Browser Forum's Baseline Requirements, as per section 2.2 of the BRs.

CP/CPS Structured According to RFC 3647

CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements. Further, CP/CPS documents should include every component and subcomponent, and the placement of information should be aligned with the BRs; e.g. domain validation practices should be documented in section 3.2.2.4 of the CA’s CP/CPS.

  • The words "No Stipulation" mean that "the particular document imposes no requirements related to that section," MRSP section 3.3.
  • The words "Not applicable" are acceptable to indicate that the CA’s policies forbid the practice that is the title of the section. Language similar to “We do not perform <subject of the section>” is preferred.
  • Sections must not be left blank. The purpose of "No Stipulation" is to make it clear that the omission of content was intentional.
  • If a full description of a section is repeated elsewhere in the document, language similar to “Refer to Section 1.2.3” is preferred. Extensive cross-referencing among multiple CPs and CPSes is discouraged. However, cross-referencing between single CP and CPS documents is acceptable as long as both documents are published on your CA's website, and the CP and CPS documents clearly indicate which root certificates they govern.
  • If a section in your CP/CPS only applies to a certain type of certificate, then your CP/CPS needs to state that. Mozilla's Root Store Policy says: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage, unless the certificate is being issued to the CA itself." So if your CP/CPS allows for generation and escrow of private keys for personal certificates, then your CP/CPS should clearly indicate that those sections do not apply to TLS server certificates.

Examples:

  • If your CA does not allow a particular domain validation method to be used, then the CP or CPS should say that, e.g. "This method of domain validation is not used".
  • If a section of your CP delegates the detailing of requirements to the CPS, then the CP should state "Refer to <section> of the CPS".
  • The BRs do not allow certificate suspension, so the CA’s CPS should state that certificate suspension is not allowed for TLS certificates, and then the other sections related to suspension should say “Not applicable”.
  • If your CA does not issue TLS server certificates containing IP addresses, then section 3.2.2.5, ‘Authentication for an IP Address’ in your CP or CPS should say that such certificate issuance is not allowed, e.g. “No IP address certificates are issued under this CPS.”
  • If your CP contains full descriptions of physical security required by section 5.1 of RFC 3647, then the CPS may say "As stipulated in section 5.1 of the CP". (This assumes that the CP is also published on your website, and the CP and CPS documents clearly indicate which root certificates they govern.)
CP/CPS Documents will be Reviewed!

During the Detailed Review phase, your CP/CPS documentation will be thoroughly reviewed and commented on. Concerns raised by the reviewer must be sufficiently resolved before the request will be allowed to enter public discussion.

Previous reviews of CP/CPS documents

Audit Criteria

CAs must supply evidence of their being evaluated according to one or more of the Mozilla policy's acceptable audit criteria.

  • The CA must indicate exactly which criteria they are being evaluated against (i.e., which of the criteria listed in the Mozilla policy).
  • All documents supplied as evidence must be publicly available.
  • Documents purporting to be from the CA's auditor (or other evaluator) should be available directly from the auditor (e.g. as documents downloadable from the auditor's website or from CPA Canada's Webtrust seal repository).

Complete Audit History

Mozilla's Root Store Policy states: "Before being included, CAs MUST provide evidence that their CA certificates fully comply with the current Mozilla Root Store Requirements and Baseline Requirements, and have continually, from the time of CA private key creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." It also states, "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA public key is no longer trusted by Mozilla's root store." (MRSP § 3.1.3) To meet these requirements, CAs must provide public-facing audit statements for all audits that have been conducted from the time of CA key creation, for both the root and the non-technically-constrained intermediate certificates in the hierarchy.

This includes:

  • Root key generation report
  • Period of time audits covering root private key protection (e.g. a period-of-time key lifecycle management report providing reasonable assurance that the CA operator protected CA private keys following root key generation)

This requirement may be met via one of the following options:

  • Providing the sequence of audit statements on the CA's website.
  • Attaching the sequence of audit statements to the root inclusion request (Bugzilla Bug).

CAs must also provide audit information in compliance with section 5 of the CCADB Policy.

Revocation of Compromised Certificates

CAs must revoke certificates with private keys that are known to be compromised, or for which verification of subscriber information is known to be invalid. CAs must use CRL revocation reason codes in accordance with MRSP section 6.1.1. See also Revocation Reasons for additional guidance.

Verifying Domain Name Ownership

We rely on public documentation and audits of those documented processes to ascertain that the requirements of the Mozilla Root Store Policy are met.

In accordance with section 2.2 of Mozilla's Root Store Policy, all domains in a certificate capable of being used for TLS must be verified using one of the methods documented in section 3.2.2.4 of the CA/Browser Forum Baseline Requirements. The CA's practices documentation (e.g. its CPS) must clearly specify and detail the procedure(s) that the CA employs, including which subsection of 3.2.2.4 it is complying with.

It also needs to provide sufficient information describing the steps taken by the CA to confirm that the applicant owns/controls the domain names to be included in the certificate. For instance, if a challenge-response procedure is used, then there must be a description of the process. If public resources are used, then there must be a description of which public resources are used, what data is retrieved from public resources, and how that data is used to verify that the applicant owns/controls the domain names.

Baseline Requirements

It is not sufficient to simply reference section 3.2.2.4 of the CA/Brower Forum's Baseline Requirements. The BRs list several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing a subsection within section 3.2.2.4 of the BRs does not specify what the CA does, and is insufficient for describing how the CA conforms to the BRs. Section 2.3 of the BRs says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."

Important:

  • A CPS must state what the CA actually does, not what it could do, such as which of the allowed domain validation methods the CA uses.
  • The following validation methods are prohibited: BR subsections 3.2.2.4.1, BR 3.2.2.4.3, BR 3.2.2.4.5, BR 3.2.2.4.6, BR 3.2.2.4.9, BR 3.2.2.4.10, BR 3.2.2.4.11, and BR 3.2.2.5.4.
WHOIS and DNS

WHOIS and DNS are used by CAs as a source of information for checking ownership/control of the domain name for TLS certificate applications. WHOIS and DNS information may be subject to compromise (e.g. BGP hijacking). CAs are responsible for implementing appropriate methods to reduce the risk that a domain validation method has been compromised. For example, a CA could use direct command line, HTTPS to the original registrar, DNSSEC, or correlate multiple sources of WHOIS and DNS information. The CA should disclose the methods that it uses to ensure the integrity of the data.

It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high-level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond?

Email Challenge-Response

Many CAs use an email challenge-response mechanism to verify that the TLS certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See Mozilla's restrictions on the set of verification addresses that may be used.

CAs using this method of domain validation must ensure that they are using the full email, and that none of their systems misinterpret the localpart of an email. If your system fails to process the exact email, it will misinterpret the '+' sign as a delimiter. Consider, for example, the WHOIS contact information for a domain of "user+word@example.com" or "user=word@example.com". Both of these email addresses conform to the rules set out in RFC 822 with respect to the 'localpart' syntax. If your system emails to "word@example.com", rather than to the full "user+word@example.com" / "user=word@example.com", it will allow an attacker (who obtains "word@example.com") to obtain certificates for example.com. Please work with your engineering department to ensure that your systems properly handle such cases, as well as handling variations, such as quoted-string, as also detailed in RFC 822 and subsequent RFCs. This is especially important as EAI addresses (described in RFC 6530 and related) come into play.

Verifying Email Address Control

We rely on public documentation and audits of those documented processes to ascertain that the requirements of the Mozilla Root Store Policy are met.

Section 2.2 of Mozilla's Root Store Policy states: "For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification."

The CA's public documentation needs to provide sufficient information describing how the email address is verified to be owned/controlled by the certificate subscriber. For instance, if a challenge-response type of procedure is used, then there must be a description of the process. If public resources are used, then there must be a description of which public resources are used, what data is retrieved from public resources, and how that data is used to verify that the certificate subscriber owns/controls the email address.

The recommended way to satisfy this requirement is to perform a challenge-response type of procedure in which the CA sends email to the email address to be included in the certificate, and the applicant must respond in a way that demonstrates that they have control over that email address. For instance, the CA may send an email to the address to be included in the certificate, containing secret unpredictable information, giving the applicant a limited time to use the information within.

It is not sufficient for the CP/CPS to just say that an email is sent to the customer. The CP/CPS needs to be clear that the RA sends email to the email address to be included in the certificate. The CP/CPS needs to be clear that the email shall contain some non-predictable information that the subscriber must then use or respond with to confirm that the owner of the email address actually received the email and responded.

DNS names go in SAN

According to the CA/Browser Forum Baseline Requirements:

  • Section 7.1.4.2.1 states:
    • Certificate Field: extensions:subjectAltName
    • Required/Optional: Required
    • Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted.
  • Section 7.1.4.2.2 states:
    • Certificate Field: subject:commonName (OID 2.5.4.3)
    • Required/Optional: Deprecated (Discouraged, but not prohibited)
    • Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1).

OCSP

OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. Firefox and some other clients do not work with HTTPS OCSP responders, and many firewalls block requests that aren't over port 80, so OCSP responders must be accessible over HTTP (not only HTTPS) on port 80.

As per the CA/Browser Forum’s Baseline Requirements:

  1. The OCSP URI must be provided in end entity certificates. (BR section 7.1.2.3.c.)
  2. OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (BR section 4.9.10)
  3. CAs MUST NOT issue OCSP responder certificates using SHA-1 (BR section 7.1.3.2.1)
  4. OCSP responses MUST conform to RFC6960 and/or RFC5019. (BR section 4.9.9)

Please refer to section 4.9.10 of the Baseline Requirements for additional OCSP requirements.

You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox:

  • Go to Firefox -> Settings -> Privacy & Security -> Certificates
  • Check the box for "Query OCSP responder servers to confirm the current validity of certificates"
  • You may need to clear your history cache
  • Browse to a website whose TLS certificate chains up to your root and has the corresponding OCSP URI in the AIA extension.

Network Security Controls

CAs must maintain current best practices for network security, and have qualified network security audits performed on a regular basis. The CA/Browser Forum has published a document called the Network and Certificate System Security Requirements (NetSec Requirements) which should be used as guidance for protecting network and supporting systems. CAs should incorporate the NetSec Requirements by reference in either section 5 or section 6.7 of their CP/CPS.

It is expected that CAs do the following on a regular basis:

  • Maintain network security controls that meet the Network and Certificate System Security Requirements.
  • Review network infrastructure, monitoring, passwords, etc. for signs of intrusion or weakness.
  • Ensure Intrusion Detection System and other monitoring software is up-to-date.
  • Confirm the ability to shut down certificate issuance quickly if alerted of intrusion.

Pre-Issuance Linting

Several tools are available on GitHub to check a tbsCertificate (To Be Signed Certificate - the certificate complete except for the signature): PKI Meta-Linter, PKI Lint, certlint/cablint, x509lint, zlint, for a large number of standards violations (BRs, RFCs etc.). Ballot SC-075 requires that CAs integrate pre-issuance linting into their issuance pipelines by March 15, 2025. Because BR or RFC violations are generally considered by Mozilla to be misissuance, such integration will reduce the number of misissuance events a CA experiences, if earlier parts of their pipeline fail in their job of keeping certificates compliant.

Precertificates

Mozilla recommends that CAs log TLS precertificates using Certificate Transparency (CT). CAs should be aware of section 5.4 of the Mozilla Root Store Policy, and that Mozilla considers logged precertificates as certificates for purposes of determining CA compliance. CAs must be able to revoke precertificates. Mozilla is also planning on requiring that TLS precertificates be logged in CT.

Section 3.2.1 of RFC 9162 states “a precertificate's signature indicates the CA's binding intent to issue the corresponding certificate, which means that: Misissuance of a precertificate is considered equivalent to misissuance of the corresponding certificate. The CA should expect to be held accountable, even if the corresponding certificate has not actually been issued."

While BR section 7.1.2.5 states “For purposes of clarification, a Precertificate, as described in RFC 6962 – Certificate Transparency, shall not be considered to be a “certificate” subject to the requirements of RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile under these Baseline Requirements”, Mozilla interprets the BR language as a specific exception allowing CAs to issue a precertificate containing the same serial number as the subsequent certificate. Otherwise, Mozilla infers from the existence of a precertificate that a corresponding certificate has been issued.

Application of RFC 9162 means that:

  • A CA must provide OCSP services and responses in accordance with Mozilla policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist
  • A CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under Mozilla policy, even if the certificate does not actually exist.
  • If any corresponding certificate with the same serial number and issuer exists, and can not be verified to match the precertificate using the algorithms in RFC 6962, it will be considered misissued.
  • In examining historical issuance, the CA must consider both final certificates and precertificates, even if the precertificate did not ultimately result in the issuance of a certificate.

Recommended Practices

CA Hierarchy

A hierarchical structure of a single-purpose root with intermediate certificates (subordinate CAs) is preferred. The single top-level root's public certificate is supplied for Mozilla's root list; subordinate CA certificates (including other self-signed root CA certificates that chain to the trusted root) must be reported in the CCADB.

CAs that issue certificates under multiple subordinate CAs (i.e. under a root CA whose CA certificate is being requested for inclusion) or under multiple CA hierarchies (i.e. rooted at multiple root CAs, one or more of whose certificates is being requested for inclusion) should provide additional information as noted:

  • The CA should provide a graphical or textual description of the CA hierarchy or hierarchies, including which subordinates are under which root CAs.
  • The CA should indicate the general types of certificates (i.e. for SSL/TLS servers, email signing/encryption) issued by each subordinate CA under each root.
  • Where a CP/CPS applies to multiple subordinate CAs and/or multiple CA hierarchies, the CA should indicate whether particular sections of the CP/CPS apply to different subordinates and/or hierarchies and, if so, what the differences are.

We strongly recommend that CA operators use separate root CA certificates with separate public keys (or separate intermediate CA certificates with separate public keys under a single root) when issuing certificates for different purposes so that we or others may selectively enable or disable acceptance of certificates issued according to a particular use or policy, or may otherwise treat such certificates differently (e.g., in our products' user interfaces).

Document Handling of IDNs in CP/CPS

If a CA allows the use of internationalized domain names (IDNs) in certificates (e.g., as issued for SSL/TLS-enabled servers), the CA should address the issue of homographic spoofing of IDNs in their CP/CPS, even if primary responsibility for dealing with this issue falls on domain registries. (This doesn't mean that the CAs must prevent such spoofing. It merely means that a CA should describe how it handles the issue of spoofing when authenticating the owner of a domain.)

Usage of Appropriate Constraints

Root certificates in Mozilla's program can have either the Websites trust bit set, or the Email trust bit, or both. If only one of those bits is set, relying software will trust certificates in that hierarchy for only that purpose. Nevertheless, it is a best practice for the immediately-issuing intermediate certificate to also contain EKU constraints of either id-kp-serverAuth or id-kp-emailProtection as appropriate, such that if the trust status of the root ever changes (or is not enforced for some reason), the end-entity certificates are still appropriately constrained.

OCSP Responses

Including additional, superfluous certificates in an OCSP response wastes bandwidth. Therefore, CA operators should limit certificates delivered to a single Authorized Responder certificate, when that is necessary.