加强 CA 实践：Mozilla 根存储策略中的关键更新，v3.0 – Mozilla 安全博客

发布于 3 月 13 日

Mozilla's Commitment: Remains committed to a secure, agile, and transparent Web PKI ecosystem. The new MRSP v3.0 (effective March 15, 2025) updates to strengthen CA practices and compliance.
Focus on Delayed Revocation: Tackles the long-standing issue of delayed certificate revocation to enhance TLS certificate management security and reliability. Introduces clearer revocation expectations, improved incident reporting, subscriber education, revocation planning, and automated certificate issuance.
- No Exceptions to Revocation: Explicitly states no exceptions to TLS Baseline Requirements for revocation to ensure consistent enforcement.
- Stronger Subscriber Communication: CA operators must warn subscribers and have clear contractual requirements for cooperation with revocation timelines.
- Mass Revocation Preparedness: Mandates readiness for large-scale revocations through comprehensive plans, testing, and third-party assessments.
Enhancing Automation: Encourages CA operators to adopt automation in certificate issuance and renewal by introducing new requirements and adding transparency through the CCADB.
Phasing Out Dual-Purpose Root CAs: Moves towards separating TLS and S/MIME hierarchies due to distinct security needs, requiring new root CA certificates to be dedicated and existing dual-purpose roots to transition.
Strengthening CA Key Security: Introduces stricter key lifecycle monitoring for "parked" CA private keys to protect against key compromise or misuse.
Conclusion: MRSP v3.0 is a significant step forward in ensuring stronger CA accountability, modernizing the Web PKI, and promoting a secure online experience. Encourages community engagement.

阅读 11