CA/Bug Triage

From MozillaWiki
< CA
Jump to: navigation, search

CA Program Bugzilla Dashboards

Bug Triage in Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.

The Bugzilla products/components related to the CA Certificate Program are:

The CA Certificate Program deviates from Mozilla's standardized Bugzilla Bug Triage process for bug priorities (P1, P2, P3, P4, P5). Priorities are not used for CA compliance bugs because they do not directly include code changes to Mozilla's release trains or iterations. Priorities are used, however, for tracking CCADB enhancements and for prioritizing root inclusion requests. See https://wiki.mozilla.org/CA/Prioritization.

Compliance Problems and Incidents

To report a concern about certificates being issued by a CA in Mozilla's Program, or their audit statements:

If the bug concerns CA certificate issuance, then the bug summary should begin with the CA name (followed by a colon and then a space), so that sorting the bugs by Summary will sort the bugs by CA.

Open CA Compliance bugs: https://wiki.mozilla.org/CA/Incident_Dashboard

If the bug concerns audit statements not containing expected information, then the bug summary should begin with auditor's name, so that sorting the bugs by Summary will sort the bugs by auditor name.

Open Auditor Compliance bugs: https://wiki.mozilla.org/CA/Auditor_Compliance

The whiteboard tags for CA Program :: CA Certificate Compliance include:

New Whiteboard Tags appended to [ca-compliance] include the following:

  • [ca-misissuance] mis-issuance of a CA certificate
  • [dv-misissuance] mis-issuance of a DV certificate
  • [ov-misissuance] mis-issuance of an OV end-entity certificate
  • [ev-misissuance] mis-issuance of an EV end-entity certificate
  • [crl-failure] failure to provide certificate status via CRL; malformed, expired CRL
  • [ocsp-failure] failure to provide certificate status via OCSP; malformed, expired OCSP
  • [policy-failure] failure to update CP/CPS annually, failure to comply with practice in CP/CPS, misunderstanding requirements, failed implementation
  • [disclosure-failure] failure to disclose an ICA, failure to report revocation of an ICA, non-disclosure-of-EV-sources, miscommunication, poor communication, etc.
  • [audit-failure] failure to perform an audit, failure to upload audits, etc.

Root Inclusion/Change requests and EV Treatment Enablement Requests

A representative of a CA may begin the process of root inclusion, change, or ev-enablement by filing a Bugzilla Bug as described here:

Root Inclusion Requests are prioritized as described here:

The whiteboard tags for CA Program :: CA Certificate Root Program are:

CA Audit Statement Bugs

  • [ca-audits] -- One bug may be created per CA to store audit statements or CP/CPS documents.
    • Link to create ca-audit bug
    • Make sure the bug has the correct product/component for the CA Certificate Program, which is CA Program :: CA Documents
    • Add [ca-audits] to the Whiteboard
    • Add Comment: "This bug may continue to be used for uploading audit statements and documents for this CA."
    • Close bug as RESOLVED | WORKSFORME

CA Program Process or Policy Related Bugs

Certificate Revocation Related Bugs

  • [ca-onecrl] -- bugs related to updating entries in OneCRL. Under normal circumstances a Bugzilla Bug is not needed for this. Rather, the CA should report the revocation via the Common CA Database.
  • OneCRL Entries Generated -- bugs for verifying OneCRL entries before they are pushed to production. These bugs are automatically generated from CCADB for standard revocations of intermediate certificates that are reported by CAs. Otherwise these bugs are generated by manually running the tools for specially requested additions to OneCRL.

Common CA Database (CCADB)

The Priority field is used for Common CA Database bugs as follows:

  • P1 - In Progress and being actively worked on
  • P2 - Needs to be started soon
  • P3 - Ongoing project that is being done as time permits
  • P4 - To be scheduled for work later