From ee280a2a2f1a83b45d29b3f2b3978ad48be36318 Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Wed, 4 Mar 2026 15:10:20 -0600 Subject: [PATCH 1/4] Limit EKU Scope for new roots Clarify requirements for root certificates and their scopes. --- Requirements.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Requirements.md b/Requirements.md index b69f90b..5ed0036 100644 --- a/Requirements.md +++ b/Requirements.md @@ -156,6 +156,11 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b 5. Document Signing EKU=1.3.6.1.4.1.311.10.3.12 - This EKU is used for signing documents within Office. It isn't required for other document signing uses. +**3.4.3** Effective for all root certificates submitted on or after July 1, 2026: +Effective for all root certificates submitted on or after July 1, 2026, root certificates MUST be limited in scope and dedicated to a clearly defined trust purpose. +Root certificates authorized for Server Authentication, S/MIME, or Code Signing MUST each be separate and independent trust anchors. A root certificate MUST NOT be authorized for more than one of these EKUs. +A root certificate authorized for Code Signing MAY also be authorized for Client Authentication and Time Stamping. A root certificate authorized for Server Authentication OR SMIME MAY also be authorized for Client Authentication. +No EKU combinations other than those explicitly permitted above are allowed.Root certificates submitted prior to January 1, 2027 that assert multiple EKUs will continue to be trusted unless otherwise directed by Microsoft. # 4. Audit requirements From c461f45d6a5429b617e3408c49ce0313dfe7e7e2 Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Wed, 11 Mar 2026 00:14:45 -0500 Subject: [PATCH 2/4] Revise validity period for newly minted Root CAs Updated validity period for newly minted Root CAs to a maximum of 10 years, effective July 1, 2026. --- Requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Requirements.md b/Requirements.md index 5ed0036..1fa128e 100644 --- a/Requirements.md +++ b/Requirements.md @@ -65,7 +65,7 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b **3.1.7.** Root Key Sizes must meet the requirements detailed in "Signature Requirements" below. -**3.1.8.** Newly minted Root CAs must be valid for a minimum of eight years, and a maximum of 25 years, from the date of submission. +**3.1.8.** Newly minted Root CAs must be valid for a maximum 10 years, from the date of submission, effective July 1, 2026. **3.1.9.** Participating Root CAs may not issue new 1024-bit RSA certificates from roots covered by these requirements. From c2708da5b43c0d9b4d199bc066031d50c2656d5c Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Wed, 11 Mar 2026 00:17:19 -0500 Subject: [PATCH 3/4] Suspect Code Definition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added clarification on Microsoft’s classification of suspect code and its relation to the Unified Security Operations criteria. --- Requirements.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Requirements.md b/Requirements.md index 1fa128e..5ca4b59 100644 --- a/Requirements.md +++ b/Requirements.md @@ -142,8 +142,12 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b ### 3.3. Code Signing Root Certificate Requirements **3.3.1.** Root certificates that support code signing use may be removed from distribution by the Program 10 years from the date of distribution of a replacement rollover root certificate or sooner, if requested by the CA. + **3.3.2.** Root certificates that remain in distribution to support only code signing use beyond their algorithm security lifetime (e.g. RSA 1024 = 2014, RSA 2048 = 2030) may be set to 'disable' in a future release. +**3.3.3** For clarity and transparency, Microsoft and the Microsoft Trusted Root Program classify “suspect code” using the same criteria applied across Microsoft security products. These classifications are documented in Microsoft’s Unified Security Operations criteria, which describe how Microsoft identifies and categorizes malware, potentially unwanted applications, tampering software, and related behaviors: . These definitions are provided to assist Program Participants in understanding how Microsoft may assess code behavior during incident investigation, disclosure, and enforcement activities. + + ### 3.4. EKU Requirements **3.4.1.** CAs must provide a business justification for all of the EKUs assigned to their root certificate. Justification may be in the form of public evidence of a current business of issuing certificates of a type or types, or a business plan demonstrating an intention to issue those certificates in the near term (within one year of root certificate distribution by the Program). From 2f58a9dd29f80e5a7329d497091b45db8e10a485 Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Wed, 11 Mar 2026 00:18:08 -0500 Subject: [PATCH 4/4] Add incident reporting requirement for CAs Added requirement for Certificate Authorities to disclose incident reports in Bugzilla and notify Microsoft. --- Requirements.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Requirements.md b/Requirements.md index 5ca4b59..12f3973 100644 --- a/Requirements.md +++ b/Requirements.md @@ -46,6 +46,8 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b **2.1.17.** Certificate Authorities MUST update their Certificate Policy (CP) and Certification Practice Statement (CPS) documents before applying any change in operations. The updated documents must be made publicly available and communicated to Microsoft. CAs should provide these updates by updating the CCADB. CAs MUST update the changelog in their CP/CPS documents with what changes were made. +**2.1.18** Certificate Authorities MUST publicly disclose and/or respond to incident reports in Bugzilla, including incidents that the Program Participant believes to be low‑impact, procedural, or non‑security‑relevant. Incident reports MUST be submitted in accordance with the current CCADB Incident Report format and applicable disclosure timelines, which can be found here: . If a Program Participant has not yet publicly disclosed an incident in Bugzilla, the Participant MUST promptly notify msroot [at] microsoft.com and MUST provide an initial public disclosure timeline. + ## 3. Program Technical Requirements