Confirm
344
edits
Changes
→Process Overview: Added link to CCADB web page
Approval of one root certificate does '''not''' imply that other root certificates owned by the same CA would be accepted.
It typically takes up to '''two years''' for a new CA to make it from one end of the process to the other. If the CA does not provide requested information in a timely manner, then the application will can take even longer, or may be cancelled.
The overall steps of the CA certificate inclusion and update process are as follows. There are [[CA/Bug_Triage#Root_Inclusion.2FChange_requests_and_EV_Treatment_Enablement_Requests|Bugzilla Bug Whiteboard tags]] corresponding to many of these steps.
'''Parts of this root inclusion process are also set forth on the [https://www.ccadb.org/cas/public-group#root-inclusion-public-discussion CCADB website].'''
# A representative of the CA
#* [[CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request|submits a request for root inclusion]] in both Bugzilla and in the CCADB (a representative of Mozilla issues a [https://ccadb.org Common CA Database (CCADB)] license to the [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for the CA), and
#* [[CA/Information_Checklist | provides information about the CA and operation of the root certificate(s).]]
#* All information provided by the CA MUST must be publicly available.
#* If the CA contracts to another organization to help with the root inclusion request, the representative of the CA must clarify that relationship in their request, and must provide clear information about who the ongoing [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|points-of-contact]] will be for the CA.
# A representative of Mozilla or another Root Store Member of the CCADB [[CA/Application_Verification#Information_Verification|verifies the confirms all information was provided by the CA]]. '''NEW:''' See [https://www.ccadb.org/cas/public-group#root-inclusion-public-discussion "Prerequisites" to public discussion] that is conducted on the [https://groups.google.com/a/ccadb.org/g/public CCADB discussion list!]
# [[CA/Application_Verification#Public_discussion|Public discussion]] for a six-week period begins on the [https://groups.google.com/a/ccadb.org/g/public CCADB discussion list]. If no concerns are raised during that time period, then the discussion may close and the request may proceed to the approval phase.
# During the public-discussion phase, a representative of Mozilla, another Root Store Member of the CCADB, or the Community (as agreed by a Mozilla representative) performs a [[CA/Application_Verification#Detailed_Review|detailed review of the CA’s CP/CPS and audit documents]]. During this phase, the CA may be required to update their CP/CPS and audit documents to become fully aligned with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy].
#* [[CA/CPS_Review|Previous detailed reviews of CA CP/CPS and audit documents]]
# A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request.# A representative of Mozilla or another Root Store Member of the CCADB summarizes The CA also completes action items resulting from the public discussion , which may include updating processes, documentation, and resulting decisions or action itemsaudits.
#* A discussion may be extended beyond the initial comment period if concerns or questions are raised that require further attention.
#* A discussion may be put on hold, pending a CA action item, such that the discussion may continue as soon as the CA has provided the requested information.
# * A representative of Mozilla or another Root Store Member of the CA completes action items resulting from the public discussion, which may include updating processes, documentation, and audits.# A representative of Mozilla CCADB confirms the completion of the action items and starts a second round of continues public discussion if needed.
# At the end of the six-week public discussion period, a representative of Mozilla or the Root Store Member who initiated the public discussion provides a summary within 5 business days noting any objections or open questions that did not receive a response from the CA owner and states the public discussion period has concluded.
#* If there are outstanding issues that need to be addressed (e.g., a need for further information, or concerns about CA practices) then the request may be closed, moved back to the Information Verification phase, or put on hold pending future discussion after the CA has addressed the concerns.
