From MozillaWiki
Jump to: navigation, search

The internet secure communications system requires Certification Authorities (CAs) - parties trusted to attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. The following pages explain how the default list of CA certificates is managed.

Process Overview

It can take as long as two years for a new CA to make it from one end of the process to the other. If the CA does not provide requested information in a timely manner, then the application will take even longer, or be cancelled.

The overall steps of the CA certificate inclusion process are as follows.

  1. Carefully consider whether your CA needs to be directly included in Mozilla's root store or if it would be better for your CA to be a subordinate CA of an already-included CA.
    • If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. Mozilla's CA Certificate Policy states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative would to be a subordinate CA of a CA who is already included in Mozilla's root store.
    • According to Mozilla's CA Certificate Policy: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain why their root needs to be included in NSS and explain how the inclusion will benefit typical Mozilla users.
  2. A representative of the CA submits a request for root inclusion.
    • If you would like to see a particular root certificate included in Mozilla products, then please contact the CA who operates that root certificate.
  3. A representative of the CA provides information about the CA and operation of the root certificate(s).
    • CP/CPS Documents will be reviewed, and must contain sufficient information for Mozilla and the CA Community to evaluate the CA's processes in regards to Mozilla's policies and the CA/Browser Forum's Baseline Requirements.
      • English translations must be provided for the relevant CP/CPS documents, and must match the current version of the CP/CPS documents.
  4. A representative of Mozilla verifies the information provided by the CA.
  5. A representative of Mozilla adds the request to the queue for public discussion.
  6. Anyone interested in the CA's application participates in discussions of CA requests further up in the queue.
  7. When the application reaches the head of the queue, a representative of Mozilla starts the public discussion for that particular CA.
    • We prefer that at least two independent parties review and comment upon each application.
  8. A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request.
  9. A representative of Mozilla summarizes the discussion and resulting action items.
  10. A representative of the CA completes action items resulting from the public discussion, which may include updating processes, documentation, and audits.
  11. A representative of Mozilla confirms the completion of the action items and starts a second round of public discussion if needed.
  12. A representative of Mozilla concludes the public discussion of the CA's request.
  13. A representative of Mozilla summarizes the request and states the intent to approve the request for inclusion.
  14. A representative of Mozilla creates a bug requesting the actual changes in NSS (and PSM for EV treatment).
    • A representative of the CA confirms that all the data in the NSS bug is correct.
    • A representative of Mozilla creates a patch with the new CA certificates and trust bit settings, and provides a special test version of Firefox. Changes to NSS regarding CA certificate applications are usually grouped and done as a batch when there is either a large set of changes or about every 3 months.
    • A representative of the CA uses the test version of Firefox to confirm (by adding a comment in the NSS bug) that the correct certificate(s) is included and that the trust bits are correctly set.
    • A representative of Mozilla requests that another Mozilla representative review the patch.
    • A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED.
  15. Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See Mozilla's Release Calendar.
  16. After inclusion of the CA's root certificate, a representative of Mozilla issues a CA Community Salesforce license to the Primary Point of Contact for the CA.
  17. The CA enters data into the CA Community in Salesforce for:
    • All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of Mozilla's CA Certificate Inclusion Policy.
    • Revoked intermediate certificates that chain to their certificate(s) included in Mozilla's CA Certificate Program.

Ways You Can Help

Our most pressing need is help with reviewing and contributing to the public discussions of CA applications. If a CA you care about is in the queue for public discussion, the best way to move it towards inclusion is to quickly and diligently review and contribute to discussions of the applications of CAs ahead of it.

Further Reading