Changes

Mozilla recognizes that in some exceptional circumstances, revoking misissued certificates within the prescribed deadline may cause significant harm, such as when the certificate is used in critical infrastructure and cannot be safely replaced prior to the revocation deadline, or when a defect affects a massive number of Subscribers and certificates. However, Mozilla does not grant exceptions to the BR revocation requirements. It is our position that your CA is ultimately responsible for deciding if the harm caused by following the requirements of BR section 4.9.1.1 outweighs the risks created that are passed on to individuals who rely on the web PKI by choosing not to meet this requirement.

* The decision and rationale for delaying revocation will be disclosed to Mozilla in the form of a preliminary incident report immediately; preferably before the BR mandated revocation deadline. The rationale must include an explanation for why the situation is exceptional. Responses similar to “we deem this misissuance not to be a security risk” are generally not acceptable, and must be discussed on the mozilla. This dev.security.policy list. When revocation is delayed at the request of specific Subscribers, the rationale should be provided on a per-Subscriber basis.* Any decision to not comply with the timeline specified in the Baseline Requirements must also be accompanied by a clear timeline for describing if and when the problematic certificates will be revoked and supported by the rationale to delay revocation.