CA/Compliance Self-Assessment

From MozillaWiki
< CA
Jump to: navigation, search

Compliance Self-Assessment

CAs with root certificates that have the websites trust bit set are required to perform self-assessments at various times to ensure that their CP and CPS documents and their practices continue to comply with the CA/Browser Forum's Baseline Requirements (BRs), Mozilla's Root Store Policy, and if applicable, the EV Guidelines. The preparation of this document reduces the load on the Mozilla administration team and makes it more likely the CA's request will be processed in a timely manner.


Compliance Self-Assessment - Annual

CAs with included root certificates that have the websites trust bit set must do an annual self-assessment of their compliance with the BRs and Mozilla's Root Store Policy using the above template. When completed, the self-assessment should be uploaded to CA's Bugzilla bug that is used for storing the CA's audit documents, if one exists. Otherwise, a new bug can be created within the "CA Documents" component of the CA Program in Bugzilla.

The BRs state: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."

CAs must update their CP and CPS documents at least once every year. You should indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the CP and CPS documents.

Compliance Self-Assessment - Root Inclusion or Update

Mozilla's root inclusion/update process has a Public Discussion phase in which members of the community thoroughly review and discuss each CA's request.

Mozilla requires CAs to perform a side-by-side comparison of their CP and CPS documents to the BRs and Mozilla's Root Store Policy (and EV Guidelines, if applicable) using the above template. Compliance Self-Assessments can either be attached to their Bugzilla bug or uploaded to another location where they can be easily obtained. During the public discussion in the CCADB Public list, members of the community will use the CA's self-assessment document to perform their own review, confirm the accuracy of the CA's self-assessment, ask questions, raise concerns, etc.