Confirmed users, Administrators
5,526
edits
CA/Maintenance and Enforcement: Difference between revisions
Jump to navigation
Jump to search
CA/Maintenance and Enforcement (view source)
Revision as of 17:18, 24 September 2018
, 24 September 2018minor updates
(minor updates) |
(minor updates) |
||
| Line 49: | Line 49: | ||
= Potential Problems, Prevention, Response= | = Potential Problems, Prevention, Response= | ||
While CA incidents have differing levels of severity, there are some components which every CA should be able to avoid which are red flags for Mozilla in terms of a continued trust relationship, and which would lead to an investigation. They are: | While [[CA/Responding_To_An_Incident|CA incidents]] have differing levels of severity, there are some components which every CA should be able to avoid which are red flags for Mozilla in terms of a continued trust relationship, and which would lead to an investigation. They are: | ||
* Deliberate violation of Mozilla or other applicable policy | * Deliberate violation of Mozilla or other applicable policy | ||
* Lying or deception | * Lying or deception | ||
| Line 64: | Line 64: | ||
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] describes the steps that Mozilla takes to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] describes the steps that Mozilla takes to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | ||
'''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate | '''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate | ||
* Immediate Minimum Response: Open a CA compliance | * Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report]. | ||
* Depending on the situation, also consider adding the certificates to OneCRL. | * Depending on the situation, also consider adding the certificates to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]. | ||
'''Problem:''' CA mis-issued a small number of email certificates that they can enumerate | '''Problem:''' CA mis-issued a small number of email certificates that they can enumerate | ||
| Line 83: | Line 74: | ||
'''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | '''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | ||
* Immediate Minimum Response: Open a CA compliance | * Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report]. | ||
* Depending on the situation, also consider adding the intermediate CA certificate(s) to OneCRL, distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA. | * Depending on the situation, also consider adding the intermediate CA certificate(s) to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA. | ||
'''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | '''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | ||
| Line 99: | Line 90: | ||
'''Problem:''' CA failed to supply proper audit documentation, or audit report contains numerous and/or serious qualifications | '''Problem:''' CA failed to supply proper audit documentation, or audit report contains numerous and/or serious qualifications | ||
* Immediate Minimum Response: File a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance] bug | * Immediate Minimum Response: File a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance] bug, request that the CA respond with remediation plans, and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report] | ||
* Depending on the situation, also consider requiring the CA to undergo new period-of-time audits as soon as the problems have been resolved. If the same problems are included on the new audit reports, they must state the dates on which the problems were resolved. | * Depending on the situation, also consider requiring the CA to undergo new period-of-time audits as soon as the problems have been resolved. If the same problems are included on the new audit reports, they must state the dates on which the problems were resolved. | ||