Security/Features/CA Policy Constraints in Code

< Security‎ | Features
Please use "Edit with form" above to edit this page.

Status

CA Policy Constraint Checking in Code
Stage Draft
Status `
Release target `
Health OK
Status note `

Team

Product manager Sid Stamm
Directly Responsible Individual `
Lead engineer `
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Kathleen Wilson

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Enforce important policy requirements in code; such as enforcing EKUs down the chain (Bug #725351), and enforcing SHA-1 transitions (Bug #942515).

Note that there are two parts to this: 1) adding checks to NSS and PSM as deemed appropriate, and 2) creating a test suite to track progress towards compliance and determine if/when additional checks should be added to NSS and PSM.

For the test suite, the tests should check for Mozilla CA Policy compliance, BR compliance, and (optionally) EV compliance. As we gather data about how well these policies are being followed, then we can determine which checks should be directly into PSM. We should be able to run the tests separately for a cert chain or website, and over data such as the EFF or CT data. The tests should provide info about the cert chain and policies that are not being followed. Things the tests should check for:

Note that the weak key issue is being tracked in a separate feature page: https://wiki.mozilla.org/Security/Features/Certs_Disallow_Weak_Keys

2. Users & use cases

We can automatically detect and block unsafe configuration of certificates and HTTPS connections that are weak.

3. Dependencies

`

4. Requirements

`

Non-goals

`

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

`


Feature details

Priority P2
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap `
Feature list `
Project `
Engineering team Security

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `