The Baseline Requirements are an auditable set of certificate management requirements that were finalized in November 2011. Their purpose is to set a level of management requirements for all SSL certificates. The Baseline Requirements also apply to Extended Validation (EV) certificates, but EV has its own guidelines to manage stricter verification.
The members of the CA/Browser Forum made them effective as of July 1, 2012. For the most part, the major vendors of publicly-trusted SSL certificates have now been compliant for the last eight months. The audit authorities developed audit criteria and both WebTrust and ETSI have integrated the Baseline Requirements into their CA audit programs.
The final task was to have a browser vendor require the Baseline Requirements in their certificate policy. Mozilla has done that with its Mozilla CA Certificate Policy (Version 2.1), which was released on February 14, 2013.
Here is a high-level look at the changes included in the Mozilla policy update:
- Multifactor authentication or limit domains for all accounts capable of directly causing a certificate issuance
- Root certificates should only issue subordinate CA certificates. End-entity certificates could be issued from a root in accordance with Baseline Requirement section #12
- All subordinate CAs must be technically constrained or publicly disclosed and audited
- Technical constraints are performed by adding an Extended Key Usage (EKU) to the subordinate CA certificate that specifies the key usage that the CA is to be used to issue. The constrained CAs must also do the following for the specified certificate types:
- Server authentication (SSL) – must also include a Name Constraints X.509V3 extension
- Secure email – must issue certificates can only be issued for authorized email addresses or mailboxes
- Code-signing certificates must issue the end entity certificates including a subject distinguished name with organization, locality (where relevant), state or province (where relevant) and country name
- If technical constraints for a subordinate CA is not possible, then they must be audited in accordance with Mozilla’s certificate policy and must be publicly disclosed
- CA operations and issuance of SSL certificates must be done in accordance with Baseline Requirements version 1.1
Mozilla also has more details and a set of frequently asked questions, including implementation dates. The bottom line is that all new CAs must meet the Baseline Requirements and all existing CAs must be audited to the Baseline requirements by February 15, 2014.
I would like to thank Mozilla for endorsing and requiring the Baseline Requirements.