From 0231ed84662a5c11f3f624b0845fb550b0de9014 Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Fri, 10 Oct 2025 12:08:25 -0500 Subject: [PATCH 1/2] Add Relevant Standards and No Exceptions Policies --- Requirements.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Requirements.md b/Requirements.md index 7710d07..ed22122 100644 --- a/Requirements.md +++ b/Requirements.md @@ -36,7 +36,18 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b **2.1.12.** Program Participants agree that Microsoft may contact customers that Microsoft believes may be substantially impacted by the pending removal of a root CA from the Program. -**2.1.13.** If Microsoft, in its sole discretion, identifies a certificate whose usage or attributes are determined to be contrary to the objectives of the Trusted Root Program, Microsoft will notify the responsible CA and request that it revokes the certificate. The CA must either revoke the certificate or request an exception from Microsoft within 24 hours of receiving Microsoft's notice. Microsoft will review submitted material and inform the CA of its final decision to grant or deny the exception at its sole discretion. In the event that Microsoft doesn't grant the exception, the CA must revoke the certificate within 24 hours of the exception being denied. +**2.1.13.** If Microsoft, in its sole discretion, identifies a certificate whose usage or attributes are determined to be contrary to the objectives of the Trusted Root Program or the Baseline Requirements, Microsoft will notify the responsible CA and request that it revokes the certificate. The CA must revoke the certificate within 24 hours of receiving Microsoft's notice. + +**2.1.14.** CAs trusted by Microsoft products must comply with the most recent and applicable Baseline Requirements (BRs) for the type of certificate they issue, as defined by the CA/Browser Forum and other relevant industry bodies. This includes, but is not limited to: TLS Server Authentication Certificates – CA/Browser Forum Baseline Requirements for TLS, Code Signing Certificates – CA/Browser Forum Code Signing Baseline Requirements, S/MIME Certificates – CA/Browser Forum S/MIME Baseline Requirements. Where Microsoft policy imposes stricter requirements than the applicable BRs, CAs are expected to adhere to Microsoft’s requirements. + +**2.1.15.** No single organization, including Microsoft, has the authority to grant exceptions to the Baseline Requirements. Microsoft will not grant exceptions under any circumstances. + +**2.1.16.** TRP Participants MUST adhere to the latest version of the CCADB Policy. + +**2.1.17.** All publicly-trusted subscriber TLS certificates must be logged within 24 hours to a Certificate Transparency (CT) Log that complies with RFC 6962, "Certificate Transparency." Certificates issued must include at least two SCTs (Signed Certificate Timestamp) from distinct CT Logs that were Qualified, Usable, or ReadOnly at the time of check. + +**2.1.18.** Certificate Authorities must update their Certificate Policy (CP) and Certification Practice Statement (CPS) documents within 7 calendar days following any change in operations, relevant standards, or industry requirements. The updated documents must be made publicly available and communicated to Microsoft within the same timeframe. CAs should provide these updates by updating the CCADB. CAs MUST update the changelog in their CP/CPS documents with what changes were made. + ## 3. Program Technical Requirements From abac317137f6b666a9217e389e5fac62e964fb15 Mon Sep 17 00:00:00 2001 From: Karina Sirota Date: Tue, 28 Oct 2025 11:07:45 -0500 Subject: [PATCH 2/2] Update Requirements.md Co-authored-by: Dimitris Zacharopoulos --- Requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Requirements.md b/Requirements.md index ed22122..92c7c64 100644 --- a/Requirements.md +++ b/Requirements.md @@ -46,7 +46,7 @@ The Microsoft Trusted Root Program enables customers to trust Windows products b **2.1.17.** All publicly-trusted subscriber TLS certificates must be logged within 24 hours to a Certificate Transparency (CT) Log that complies with RFC 6962, "Certificate Transparency." Certificates issued must include at least two SCTs (Signed Certificate Timestamp) from distinct CT Logs that were Qualified, Usable, or ReadOnly at the time of check. -**2.1.18.** Certificate Authorities must update their Certificate Policy (CP) and Certification Practice Statement (CPS) documents within 7 calendar days following any change in operations, relevant standards, or industry requirements. The updated documents must be made publicly available and communicated to Microsoft within the same timeframe. CAs should provide these updates by updating the CCADB. CAs MUST update the changelog in their CP/CPS documents with what changes were made. +**2.1.18.** Certificate Authorities must update their Certificate Policy (CP) and Certification Practice Statement (CPS) documents before applying any change in operations. The updated documents must be made publicly available and communicated to Microsoft. CAs should provide these updates by updating the CCADB. CAs MUST update the changelog in their CP/CPS documents with what changes were made.