Version 2.9 of the Mozilla Root Store Policy

Created on November 12, 2023 at 10:33 am

Online security is constantly evolving, and thus we are excited to announce the publication of MRSP PRODUCT version 2.9 CARDINAL , demonstrating that we are committed to keep up with the advancement of the web and further our commitment to a secure and trustworthy internet.

With each update to the Mozilla Root Store Policy ORG ( MRSP PERSON ), we aim to address emerging challenges and enhance the integrity and reliability of our root store. Version 2.9 CARDINAL introduces several noteworthy changes and refinements, and within this blog post we provide an overview of key updates to the MRSP PRODUCT and their implications for the broader online community.

Managing the Effective Lifetimes of Root CA Certificates ORG

One CARDINAL of the most crucial changes in this version of the MRSP PRODUCT is to limit the time that a root certificate may be in our root store. Often, a root certificate will be issued with a validity period of 25 or more years DATE , but that is too long when one considers the rapid advances in computer processing strength. To address this concern and to make the web PKI ORG more agile, we are implementing a schedule to remove trust bits and/or the root certificates themselves from our root store after they have been in use for more than a specified number of years DATE .

Under the new section 7.4 of the MRSP PRODUCT , root certificates that are enabled with the website’s trust bit will have that bit removed when CA GPE key material is 15 years old DATE . Similarly, root certificates with the email trust bit will have a “ Distrust for S/MIME WORK_OF_ART After Date” set at 18 years DATE from the CA GPE ’s key material generation date. A transition schedule has been established here, which phases this in for CA GPE root certificates created before April 14, 2014 DATE . The transition schedule is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make the schedule obsolete.

Compliance with CA/Browser Forum’s ORG Baseline Requirements for S/MIME Certificates

The CA/Browser Forum released Baseline Requirements for S/MIME ORG certificates (S/MIME BRs), with an effective date of September 1, 2023 DATE . Therefore, as of September 1, 2023 DATE , certificates issued for digitally signing or encrypting email messages must conform to the latest version of the S/MIME BRs, as stated in section 2.3 LAW of the MRSP. Period-of-time audits to confirm compliance with the S/MIME BRs will be required for audit periods ending after October 30, 2023 DATE . Transition guidance is provided at the following wiki page:

Security Incident and Vulnerability ORG Disclosure

To enable swift response and resolution of security concerns impacting CAs ORG , guidance for reporting security incidents and serious vulnerabilities has been added to section 2.4 CARDINAL of the MRSP PRODUCT . Additional guidance is provided in the following wiki page:

CCADB Compliance Self-Assessment

Previously, CAs were required to perform an annual DATE self-assessment of compliance with Mozilla ORG ’s policies and the CA/Browser Forum’s ORG Baseline Requirements for TLS, but the MRSP did not specifically require that the annual DATE self-assessment be submitted. Beginning in January 2024 DATE , CA GPE operators with root certificates enabled with the website’s trust bit must perform and submit the CCADB Compliance Self-Assessment LAW annually (within 92 calendar days DATE from the close of their audit period). This will provide transparency into each CA GPE ’s ongoing compliance with Mozilla ORG policies and the CA/Browser Forum’s ORG Baseline Requirements for TLS.

Elimination of SHA-1

With the release of Firefox 52 LAW in 2017 DATE , Mozilla ORG removed support for SHA-1 in TLS ORG certificates. Version 2.9 CARDINAL of the MRSP PRODUCT takes further steps to eliminate the use of SHA-1, allowing it only for end entity certificates that are completely outside the scope of the MRSP PRODUCT , and for specific, limited circumstances involving duplication of an existing SHA-1 intermediate CA GPE certificate. These efforts align with industry best practices to phase out the usage of SHA-1.


Several of these changes will require that CAs ORG revise their practices, so we have sent CAs ORG a CA Communication and Survey ORG to alert them about these changes and to inquire about their ability to comply with the new requirements by the effective dates.

These updates to the MRSP PERSON underscore Mozilla ORG ’s unwavering commitment to provide our users with a secure and trustworthy experience. We encourage your participation in the Mozilla ORG community and the CCADB community to contribute to these efforts to provide a secure online experience for our users.

Connecting to Connected... Page load complete