Let’s Encrypt is committed to a post-quantum-safe Web PKI. The path we’re planning to take is Merkle Tree Certificates (“MTCs”), a new approach that adds post-quantum authentication to the web wit…
2026/06/01 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/29 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- 'Martijn Katerbarg' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- Hanno Böck
Ballot SC-099: Improve Recording of Validation Methods (#656) The current BRs contain the following text in Sections 3.2.2.4 and 3.2.2.5: > CAs SHALL maintain a record of which [domain/IP] validation method, including…
2026/05/15 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/14 -- Anupama M
2026/05/14 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/12 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/12 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/12 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/12 -- 'Martijn Katerbarg' via dev-security-policy@mozilla.org
2026/05/12 -- 'Ben Wilson' via dev-security-policy@mozilla.org
Ballot SMC016: Equivalence with Ballots SC096 and SC097 (#300)
Update effective date based on IPR Review closure (#664)
Have you ever needed to make sure your website has a broken certificate? While many tools exist to help run an HTTPS server with valid certificates, there aren’t tools to make sure your certificate is revoked or ex…
Cleanup 2025 (#628) BR 2.2.6, approved by ballot SC095v3
SMC015v2 - mDL Authentication of Individual Identity (#290) * Version * Revision table * References * Attribute collection * Validation of mDL * Numbering fix * Reference update * eIDAS reference * Update eIDAS link * Up…
Nick Silverman is a Senior Infrastructure Engineer on the Edge Infrastructure team at Shopify, where he maintains the systems that provision, renew, and publish SSL certificates for millions of merchants’ custom do…
This was also posted on EFF’s blog. As we announced earlier this year, Let’s Encrypt now issues IP address and six-day certificates to the general public. The Certbot team at the Electronic Frontier Foundatio…
Ballot SC-097 (V1): "Sunset all remaining use of SHA-1 signatures in Certificates and CRLs" (#645) **Purpose of Ballot SC-097:** This ballot proposes updates to the Baseline Requirements for the Issuance and Ma…
As previously announced, over the next two years we will be switching the default certificate lifetime from 90 days to 64 days, and then 45 days. This will ultimately double the number of certificate renewal requests eac…
When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to …
Ballot SC-96: Carve-out for DNSSEC verification logging requirements (#641) BRs 2.2.4
SC94: Add partial exception for DNSSEC checks for email DCV methods (#637) BRs version 2.2.3
Update build-guidelines-action to version 2.2.1 (#299) * Update build-guidelines-action to version 2.2.1 * Update action to use Docker image for build guidelines
In a recent conversation with a Let’s Encrypt subscriber, we asked them to guess how many people work at ISRG, the nonprofit behind Let’s Encrypt (and Prossimo and Divvi Up). Their guess was about 100; they&r…
Update: March 11, 2026 If you use Certbot, see Six-Day and IP Address Certificates Available in Certbot for details on requesting these certificates. Short-lived and IP address certificates are now generally available fr…
SC-090: "Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5" (#616) BRs v2.2.2 **Notes:** - As of 09 September 2025, this proposal is *…
This letter was originally published in our 2025 Annual Report. This year was the 10th anniversary of Let’s Encrypt. We’ve come a long way! Today we’re serving more than 700 million websites, issuing te…
Ballot SC-91: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses (#626) BRs v 2.2.1 ## Ballot SC-91: “Sunset 3.2.2.5.3 Reverse Addres…
SC-86: Sunset the Inclusion of Domain Names with an IP Reverse Zone Suffix (#573) BRs 2.2.0
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of co…
Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. This change is being made along with the r…
In a ceremony held in September, Let’s Encrypt generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. Now we’re moving to begin…
CSC-31: Maximum Validity Reduction (#48) (#51) * CSC-31: Maximum Validity Reduction (#48) * Update CSBR.md for proposed validity period change Updating to mostly match ian's original verbiage. However, given that we …
SC088v3: DNS TXT Record with Persistent Value DCV Method
SC092: Sunset use of Precertificate Signing CAs (#630) * Sunset precert signing cas (#629) * Update version and revision table * Fix formatting * fix formatting * Change order of effective dates in table 1.2.2. * One mor…
v1.0.12 - Ballot SMC014 (#285) The Intellectual Property Review (IPR) period for Ballot SMC014 (DNSSEC for CAA) has completed. No IPR Exclusion Notices were filed, and the ballot is adopted as of October 13, 2025.
Seth Schoen was an early contributor to Let's Encrypt through his work at the Electronic Frontier Foundation. He's also one of the longest standing participants in the Let's Encrypt community support forum, so we asked h…
Let’s Encrypt has been proud to work with the IETF to maintain ACME as an open standard since we first developed the technology a decade ago. We’re happy to announce that IETF has published our latest additio…
NGINX and Let's Encrypt share a common vision of an open and secure web. Now, with built-in support for ACME, the world's most popular web server, reverse proxy and ingress controller for Kubernetes can simplify certific…
Fix formatting in table 1.2.1 (#613)
SC-089: Mass Revocation Planning (#611) * SC-089: Mass Revocation Planning (#610) * Initial draft of 5.7.1.2 Here is an initial draft of a proposal to add section 5.7.1.2 to the TLS Baseline Requirements. See Issue #602 …
v1.0.11 - Ballot SMC013 (#284) This text introduces specifications for the use of two post-quantum cryptography (PQC) algorithms, as standardized by the U.S. National Institute of Standards and Technology (NIST), in the …
SC085: Require Validation of DNSSEC (when present) for CAA and DCV Lookups (#606) * Update version number, recent changes and relevant dates * fix version
SC-085: Require Validation of DNSSEC (when present) for CAA and DCV Lookups (#579) * require DNSSEC * SHOULD to MAY Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * RFCs in sec 1.6.3. * …
v1.0.10 - Ballot SMC012 (#282) This text introduces a new method for validation of mailbox control, using ACME for S/MIME as defined in RFC 8823: Extensions to Automatic Certificate Management Environment for End-User S/…
At Mozilla, we consider security to be a paramount aspect of the web. This is why not only does Firefox have a long running bug bounty program but also mature … Read more The post Firefox Security Response to pwn2o…
v1.0.9 - Ballot SMC011 (#272) * Date * Add EUID Definition * 7.1.4.2.2 (d) add note 4 * Appendix A.1 update * Minor * Revision table * Minor update to Definition * Reconfigure Note 4 * Minor format Note 4 * Minor format …
Bump Ubuntu runner to latest (#279)
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to a new signing subkey shortly. The GPG fingerprint … Read more The post Updated GPG key for signing…
Mozilla remains committed to fostering a secure, agile, and transparent Web PKI ecosystem. The new Mozilla Root Store Policy (MRSP) v3.0, effective March 15, 2025, introduces critical updates to strengthen … Read m…
Ballot SMC010 - Introduction of Multi-Perspective Issuance Corroboration (#260) This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require …
Ballot SMC09 - Pre-Linting, WebTrust for NetSec, and Minor Updates (#257)
Update upload-artifact to v4 due to github deprecation (#262)
At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from … Read more The post Behind th…
Revert to commit 3a88910dd9ac43e3278514e8359778bfec4ad723 (#256)
Merge branch 'MPIC_discussion' into main
Update to 4.2.2.2 for effective dates
Ballot SMC08 - Deprecate Legacy Generation Profiles and Minor Updates (#253) The S/MIME Baseline Requirements include a set of Legacy profiles designed to ease the transition into an audited framework, with the expectati…
CSC-26 final adjustments (#40) * CSC-26 final adjustments * Fix links
CSC-26: Timestamping Private Key Protection (#34) * Timestamp Certificate, SubCA and Key restrictions * Add log and witness requirements for key destruction * Add effective dates * Typo correction * Align date format * U…
CSC-25: Import EV Guidelines to CS Baseline Requirements (#38) * First import of EV Guidelines version 1.8.0 * Added organizationIdentifier and extension. Added EVG definitions all the way up to the term "Registered…
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS. As a reminder, HTTP over TLS (HTTPS) fixes the security shortcoming of HTTP … Read more The post Firefox will upgr…
At Mozilla, we believe in an open web that is safe to use. To that end, we improve and maintain the security of people using Firefox around the world. This … Read more The post Rapidly Leveling up Firefox Security …
CSC-22: High risk changes (#31) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * High risk ballot draft language * Restore and tweak reference to…
CSC-21: Improved signing services requirements (#12) * Fix typos * Prepare final copy assuming IPR review is clean * Import of Word doc changes to Git * Clarify that SSs are not DTPs in 8.1 * Update may to MAY * Integrat…
Bump actions/upload-artifact from 3 to 4 (#32) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](h…
CSC-20 (#30) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * Add effective date
To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this … Read more The post Mozill…
Online security is constantly evolving, and thus we are excited to announce the publication of MRSP version 2.9, demonstrating that we are committed to keep up with the advancement of … Read more The post Version 2…
Bump tooling version, fix version table formatting (#28) * Bump tooling version * Fix table
Bump actions/checkout from 3 to 4 (#27) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/…
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to new key shortly. The new GPG fingerprint is … Read more The post Updated GPG key for signing Firef…
In accordance with the Mozilla Manifesto, which emphasizes the open development of policy that protects users’ privacy and security, we have worked with the Mozilla community over the past several … Read more The p…
No items for this source.