Confirm
344
edits
Changes
Edits based on MRSP v. 2.7.1
* The format of the CP/CPS document must be PDF or another suitable format for reading documents. CAs should ''not'' use Microsoft Word or other formats intended primarily for editable documents.
* The CP/CPS must be available in an English version. The non-English version may be authoritative (as that's the working language of the CA) but the CA is responsible for ensuring that the translation is not materially different from the authoritative version of the document.
* As part of the inclusion process and the [https://wiki.mozilla.org/CA/BR_Self-Assessment Baseline Requirements selfSelf-assessmentAssessment], CAs must provide references to the CP/CPS sections (e.g., by section number and/or page number) that address the requirements of Mozilla policy and the Baseline Requirements.
===== CP/CPS Revision Table =====
=== Audit Criteria ===
CAs must supply evidence of their being evaluated according to one or more of the criteria accepted as suitable per the Mozilla policy's [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#311-audit-criteria acceptable audit criteria].
* The CA must indicate exactly which criteria they are being evaluated against (i.e., which of the criteria listed in the Mozilla policy).
==== Complete Audit History ====
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#71-inclusions Mozilla's Root Store Policy] states: "Before being included, CAs MUST provide evidence that their CA certificates fully comply with the current Mozilla Root Store Requirements and Baseline Requirements, and have continually, from the time of CA private key creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." To meet this requirement CAs must provide public-facing audit statements for all of the audits that have been conducted from the time of root CA key creation, for both the root and the non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the hierarchy. This includes:
* Root key generation report
* Any Point in time audits
=== Network Security Controls ===
CAs must maintain current best practices for network security, and have qualified network security audits performed on a regular basis. The [https://www.cabforum.org/ CA/Browser Forum] has published a document called [https://www.cabforum.org/documents.html network-security-requirements/ Network and Certificate System Security Requirements] which should be used as guidance for protecting network and supporting systems.
It is expected that CAs do the following on a regular basis:
* Maintain network security controls that meet the [https://www.cabforum.org/documents.html network-security-requirements/ Network and Certificate System Security Requirements.]
* Check for mis-issuance of certificates, especially for high-profile domains.
* Review network infrastructure, monitoring, passwords, etc. for signs of intrusion or weakness.
