Ballot CSC-32: Make a Reserved Policy OID mandatory in the CertificatePolicies extension for Subscriber certificates (#57) * Ballot CSC-32: Make a Reserved Policy OID mandatory in the CertificatePolicies extension for Su…
SC-098: Process RFC 8657 CAA Parameters (#567) Update 3.2.2.8 to require that CAs process CAA accounturi and validationmethod parameters defined in RFC 8657 Fixes https://github.com/cabforum/servercert/issues/353 -------…
2026/06/15 -- 'Ben Wilson' via dev-security-policy@mozilla.org
This case concerns Hongkong Post certificates that contained invalid embedded SCT (Signed Certificate Timestamp) signatures. The CA reported that it received a certificate problem report email on 13 April 2026 about a ce…
This case concerns Let's Encrypt’s Gen Y (Root YE and Root YR) cross-certified subordinate CA certificates and their related cross-signing hierarchy. The preliminary incident report states that the Gen Y cross-certified …
This case is a self-reported incident by Let’s Encrypt regarding CRL publication. Let’s Encrypt monitoring (github.com/letsencrypt/crl-monitor) detected that a database replication issue temporarily omitted recently adde…
This case concerns Visa certificates issued under the Visa Public RSA Root CA for publicly trusted TLS server authentication that exceeded the maximum TLS certificate validity permitted by the CA/Browser Forum Baseline R…
This case concerns CFCA’s CRL encoding non-compliance in the CRL signatureAlgorithm field. The issue was disclosed after a third party (xipki/XiPKI) reported that CFCA EV RCA CRLs were missing the required NULL parameter…
This case concerns a CRL compliance issue reported externally: the CRL at http://crl3.netlock.hu/index.cgi?crl=gold contained revoked certificate entries with the X.509v3 CRL Reason Code explicitly set to “Unspecified” (…
The case reports an inconsistency between certSIGN’s CRL and OCSP revocation status for an intermediate CA certificate (“certSIGN Web CA”, serial 10034B8E66F50920F6C5) issued under “certSIGN ROOT CA G2”. The reporter obs…
D-Trust GmbH opened this CA Program bug after receiving an external Certificate Problem Report via a web form. The report alleged that certain CRL URLs appearing in currently valid D-Trust certificates were not disclosed…
D-TRUST identified a compliance issue where the Organizational Unit (OU) name in precertificates exceeded the maximum allowed length of 64 characters. The issue was discovered by internal quality assurance on July 5, 201…
D-Trust disclosed an incident involving EV TLS certificates that are also Qualified Certificates for Website Authentication (QWAC). The certificates contained a QCStatement extension with an http link to the correspondin…
D-Trust reported a compliance incident involving its TLS certificate issuance controls under Section 4.3.1.2 of the CA/Browser Forum TLS Baseline Requirements. In its internal review, D-Trust concluded that its RA-side c…
D-TRUST reported that, during its certificate application process, a customer could potentially submit a private key as part of a CSR via the application processing interface. D-TRUST initiated an internal investigation …
D-Trust reported that it mis-issued 19 TLS precertificates with validity periods exceeding the 200-day maximum allowed by the TLS Baseline Requirements (Section 6.3.2), as introduced by Ballot SC-81. The issue was identi…
D-Trust issued 17 DV certificates containing the 'serialNumber' field in the subject after September 15, 2023, which was an internal reference number. Upon discovering the misissuance, D-Trust halted DV certificate produ…
This case is for adding the Cybertrust Japan Root CA “Cybertrust iTrust TLS ECCP384 Root CA 2025” to Mozilla’s root program. The bug was created by Jun Okura (Cybertrust Japan) in the “CA Certificate Root Program” compon…
This case is about adding the “Cybertrust iTrust TLS RSA4096 Root CA 2025” root for inclusion in Mozilla’s root store. The bug was created by Cybertrust Japan / JCSI with steps related to adding the root. In the CCADB, M…
NETLOCK reported a compliance issue involving several Authority Information Access (AIA) HTTP endpoints that returned issuer certificates in PEM encoding instead of the DER encoding required by RFC 5280 Section 4.2.2.1. …
Microsoft PKI Services reported an OCSP non-compliance incident they discovered during a migration of OCSP traffic to new infrastructure. On November 10, 2025, they found that OCSP responses from the new infrastructure i…
2026/06/11 -- 'Chrome Root Program' via CCADB Public
OATI reported that the Authority Information Access (AIA) CA Issuer field in OATI TLS certificates (issued from the “Server Issuing CA 2025”) resolved to a repository-hosted file that was PEM-encoded instead of the DER-e…
Open Access Technology International (OATI) reported that certificates issued from its legacy “webCARES Issuing CA 2021” webCARES issuer contained the authorityCertIssuer and authorityCertSerialNumber fields, which OATI …
2026/06/05 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/06/05 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/06/05 -- 'Ben Wilson' via CCADB Public
2026/06/05 -- 'Ben Wilson' via CCADB Public
Let’s Encrypt is committed to a post-quantum-safe Web PKI. The path we’re planning to take is Merkle Tree Certificates (“MTCs”), a new approach that adds post-quantum authentication to the web wit…
2026/06/01 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/29 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- 'Martijn Katerbarg' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- Hanno Böck
Ballot SC-099: Improve Recording of Validation Methods (#656) The current BRs contain the following text in Sections 3.2.2.4 and 3.2.2.5: > CAs SHALL maintain a record of which [domain/IP] validation method, including…
2026/05/15 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/14 -- Anupama M
2026/05/14 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/12 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/12 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
Ballot SMC016: Equivalence with Ballots SC096 and SC097 (#300)
Update effective date based on IPR Review closure (#664)
2026/04/30 -- CCADB Support
2026/04/15 -- 'Ben Wilson' via CCADB Public
2026/04/14 -- 'Ben Wilson' via CCADB Public
2026/04/13 -- 'Ben Wilson' via CCADB Public
2026/04/13 -- Wayne
2026/04/13 -- Wayne
2026/04/13 -- 'Rob Stradling' via CCADB Public
2026/04/13 -- 'Ben Wilson' via CCADB Public
Have you ever needed to make sure your website has a broken certificate? While many tools exist to help run an HTTPS server with valid certificates, there aren’t tools to make sure your certificate is revoked or ex…
2026/04/08 -- CCADB Support
2026/04/03 -- CCADB Support
Cleanup 2025 (#628) BR 2.2.6, approved by ballot SC095v3
SMC015v2 - mDL Authentication of Individual Identity (#290) * Version * Revision table * References * Attribute collection * Validation of mDL * Numbering fix * Reference update * eIDAS reference * Update eIDAS link * Up…
2026/03/27 -- 'Wayne Thayer' via CCADB Public
2026/03/27 -- 'Chris Clements' via CCADB Public
2026/03/26 -- 'Wayne Thayer' via CCADB Public
2026/03/26 -- CCADB Support Questions
2026/03/25 -- 'Rebecca Kelley' via CCADB Public
2026/03/20 -- 'Chris Clements' via CCADB Public
2026/03/20 -- Andrew Ayer
Nick Silverman is a Senior Infrastructure Engineer on the Edge Infrastructure team at Shopify, where he maintains the systems that provision, renew, and publish SSL certificates for millions of merchants’ custom do…
This was also posted on EFF’s blog. As we announced earlier this year, Let’s Encrypt now issues IP address and six-day certificates to the general public. The Certbot team at the Electronic Frontier Foundatio…
Ballot SC-097 (V1): "Sunset all remaining use of SHA-1 signatures in Certificates and CRLs" (#645) **Purpose of Ballot SC-097:** This ballot proposes updates to the Baseline Requirements for the Issuance and Ma…
As previously announced, over the next two years we will be switching the default certificate lifetime from 90 days to 64 days, and then 45 days. This will ultimately double the number of certificate renewal requests eac…
When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to …
Ballot SC-96: Carve-out for DNSSEC verification logging requirements (#641) BRs 2.2.4
SC94: Add partial exception for DNSSEC checks for email DCV methods (#637) BRs version 2.2.3
Update build-guidelines-action to version 2.2.1 (#299) * Update build-guidelines-action to version 2.2.1 * Update action to use Docker image for build guidelines
In a recent conversation with a Let’s Encrypt subscriber, we asked them to guess how many people work at ISRG, the nonprofit behind Let’s Encrypt (and Prossimo and Divvi Up). Their guess was about 100; they&r…
Update: March 11, 2026 If you use Certbot, see Six-Day and IP Address Certificates Available in Certbot for details on requesting these certificates. Short-lived and IP address certificates are now generally available fr…
SC-090: "Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5" (#616) BRs v2.2.2 **Notes:** - As of 09 September 2025, this proposal is *…
This letter was originally published in our 2025 Annual Report. This year was the 10th anniversary of Let’s Encrypt. We’ve come a long way! Today we’re serving more than 700 million websites, issuing te…
Ballot SC-91: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses (#626) BRs v 2.2.1 ## Ballot SC-91: “Sunset 3.2.2.5.3 Reverse Addres…
SC-86: Sunset the Inclusion of Domain Names with an IP Reverse Zone Suffix (#573) BRs 2.2.0
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of co…
Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. This change is being made along with the r…
In a ceremony held in September, Let’s Encrypt generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. Now we’re moving to begin…
CSC-31: Maximum Validity Reduction (#48) (#51) * CSC-31: Maximum Validity Reduction (#48) * Update CSBR.md for proposed validity period change Updating to mostly match ian's original verbiage. However, given that we …
SC088v3: DNS TXT Record with Persistent Value DCV Method
SC092: Sunset use of Precertificate Signing CAs (#630) * Sunset precert signing cas (#629) * Update version and revision table * Fix formatting * fix formatting * Change order of effective dates in table 1.2.2. * One mor…
v1.0.12 - Ballot SMC014 (#285) The Intellectual Property Review (IPR) period for Ballot SMC014 (DNSSEC for CAA) has completed. No IPR Exclusion Notices were filed, and the ballot is adopted as of October 13, 2025.
Seth Schoen was an early contributor to Let's Encrypt through his work at the Electronic Frontier Foundation. He's also one of the longest standing participants in the Let's Encrypt community support forum, so we asked h…
Let’s Encrypt has been proud to work with the IETF to maintain ACME as an open standard since we first developed the technology a decade ago. We’re happy to announce that IETF has published our latest additio…
NGINX and Let's Encrypt share a common vision of an open and secure web. Now, with built-in support for ACME, the world's most popular web server, reverse proxy and ingress controller for Kubernetes can simplify certific…
Fix formatting in table 1.2.1 (#613)
SC-089: Mass Revocation Planning (#611) * SC-089: Mass Revocation Planning (#610) * Initial draft of 5.7.1.2 Here is an initial draft of a proposal to add section 5.7.1.2 to the TLS Baseline Requirements. See Issue #602 …
v1.0.11 - Ballot SMC013 (#284) This text introduces specifications for the use of two post-quantum cryptography (PQC) algorithms, as standardized by the U.S. National Institute of Standards and Technology (NIST), in the …
SC085: Require Validation of DNSSEC (when present) for CAA and DCV Lookups (#606) * Update version number, recent changes and relevant dates * fix version
v1.0.10 - Ballot SMC012 (#282) This text introduces a new method for validation of mailbox control, using ACME for S/MIME as defined in RFC 8823: Extensions to Automatic Certificate Management Environment for End-User S/…
At Mozilla, we consider security to be a paramount aspect of the web. This is why not only does Firefox have a long running bug bounty program but also mature … Read more The post Firefox Security Response to pwn2o…
v1.0.9 - Ballot SMC011 (#272) * Date * Add EUID Definition * 7.1.4.2.2 (d) add note 4 * Appendix A.1 update * Minor * Revision table * Minor update to Definition * Reconfigure Note 4 * Minor format Note 4 * Minor format …
Bump Ubuntu runner to latest (#279)
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to a new signing subkey shortly. The GPG fingerprint … Read more The post Updated GPG key for signing…
Mozilla remains committed to fostering a secure, agile, and transparent Web PKI ecosystem. The new Mozilla Root Store Policy (MRSP) v3.0, effective March 15, 2025, introduces critical updates to strengthen … Read m…
Ballot SMC010 - Introduction of Multi-Perspective Issuance Corroboration (#260) This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require …
Ballot SMC09 - Pre-Linting, WebTrust for NetSec, and Minor Updates (#257)
Update upload-artifact to v4 due to github deprecation (#262)
At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from … Read more The post Behind th…
Revert to commit 3a88910dd9ac43e3278514e8359778bfec4ad723 (#256)
Merge branch 'MPIC_discussion' into main
Update to 4.2.2.2 for effective dates
Ballot SMC08 - Deprecate Legacy Generation Profiles and Minor Updates (#253) The S/MIME Baseline Requirements include a set of Legacy profiles designed to ease the transition into an audited framework, with the expectati…
CSC-26 final adjustments (#40) * CSC-26 final adjustments * Fix links
CSC-26: Timestamping Private Key Protection (#34) * Timestamp Certificate, SubCA and Key restrictions * Add log and witness requirements for key destruction * Add effective dates * Typo correction * Align date format * U…
CSC-25: Import EV Guidelines to CS Baseline Requirements (#38) * First import of EV Guidelines version 1.8.0 * Added organizationIdentifier and extension. Added EVG definitions all the way up to the term "Registered…
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS. As a reminder, HTTP over TLS (HTTPS) fixes the security shortcoming of HTTP … Read more The post Firefox will upgr…
At Mozilla, we believe in an open web that is safe to use. To that end, we improve and maintain the security of people using Firefox around the world. This … Read more The post Rapidly Leveling up Firefox Security …
CSC-22: High risk changes (#31) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * High risk ballot draft language * Restore and tweak reference to…
CSC-21: Improved signing services requirements (#12) * Fix typos * Prepare final copy assuming IPR review is clean * Import of Word doc changes to Git * Clarify that SSs are not DTPs in 8.1 * Update may to MAY * Integrat…
Bump actions/upload-artifact from 3 to 4 (#32) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](h…
CSC-20 (#30) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * Add effective date
To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this … Read more The post Mozill…
Online security is constantly evolving, and thus we are excited to announce the publication of MRSP version 2.9, demonstrating that we are committed to keep up with the advancement of … Read more The post Version 2…
Bump tooling version, fix version table formatting (#28) * Bump tooling version * Fix table
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to new key shortly. The new GPG fingerprint is … Read more The post Updated GPG key for signing Firef…
In accordance with the Mozilla Manifesto, which emphasizes the open development of policy that protects users’ privacy and security, we have worked with the Mozilla community over the past several … Read more The p…
No items for this source.