CA/Bug Triage

From MozillaWiki
< CA
Jump to: navigation, search

CA Program Bugzilla Dashboards

Bug Triage in Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.

The Bugzilla products/components related to the CA Certificate Program are:

The CA Certificate Program deviates from Mozilla's standardized Bugzilla Bug Triage process by not using bug priorities (P1, P2, P3, or P5), because CA Certificate Root Program bugs do not directly include code changes to Mozilla's release trains or iterations.

CA Program Whiteboard Tags

Compliance Problems and Incidents

To report a concern about certificates being issued by a CA in Mozilla's Program, or their audit statements:

If the bug is in regards to CA certificate issuance, then the bug summary should begin with the CA name, so sorting the bugs by Summary will sort the bugs by CA.

Open CA Compliance bugs:

If the concern is in regards to audit statements not containing expected information, then the bug summary should begin with auditor's name, so sorting the bugs by Summary will sort the bugs by auditor name.

Open Auditor Compliance bugs:

The whiteboard tags for NSS :: CA Certificate Compliance are:

Root Inclusion/Change requests and EV Treatment Enablement Requests

A representative of a CA may begin the process of root inclusion, change, or ev-enablement by filing a Bugzilla Bug as described here:

The whiteboard tags for NSS :: CA Certificate Root Program are:

  • [ca-initial] -- not enough information to begin the Information Verification phase, or not yet assigned to someone to do the Information Verification
  • [ca-verifying] -- in Information Verification phase. This is a high-level review to ensure that all of the required data has been provided and the appropriate tests run.
  • [ca-cps-review] -- in Detailed Review phase, in which all of the relevant CP/CPS and audit documents will be thoroughly reviewed. During this phase, the CA may be required to update their CP/CPS and audit documents to become fully aligned with Mozilla's Root Store Policy.
  • [ca-ready-for-discussion yyyy-mm-dd] -- Information Verification and Detailed Review phases complete. Ready for public discussion. In parentheses add date when Detailed Review phase was completed.
  • [ca-in-discussion] -- in discussion in the forum.
  • [ca-discussion-hold] -- discussion on hold, pending CA actions.
  • [ca-hold] -- CA's request is on hold, typically because the CA is a super-CA, so all of their subCAs have to achieve inclusion first.
  • [ca-pending-approval] -- final notice of intent to approve the CA's request
  • [ca-approved] -- request is approved, pending code changes in NSS, also including certs which are in NSS and pending code changes in PSM
  • [ca-denied] -- request was denied. Under normal circumstances the CA may submit a new root inclusion request for a new root certificate that fully complies with Mozilla's Root Store policy.

CA Audit Statement Bugs

  • [ca-audits] -- One bug may be created per CA to store audit statements or CP/CPS documents.
    • Link to create ca-audit bug
    • Make sure the bug has the correct product/component for the CA Certificate Program, which is NSS :: CA Certificate Root Program
    • Add [ca-audits] to the Whiteboard
    • Add Comment: "This bug may continue to be used for uploading audit statements and documents for this CA."
    • Close bug as RESOLVED | WORKSFORME

CA Program Process or Policy Related Bugs

Certificate Revocation Related Bugs

  • [ca-onecrl] -- bugs related to updating entries in OneCRL. Under normal circumstances a Bugzilla Bug is not needed for this. Rather, the CA should report the revocation via the Common CA Database.
  • OneCRL Entries Generated -- bugs for verifying OneCRL entries before they are pushed to production. These bugs are automatically generated from CCADB for standard revocations of intermediate certificates that are reported by CAs. Otherwise these bugs are generated by manually running the tools for specially requested additions to OneCRL.