CA:CertInclusionPolicyV2.0

From MozillaWiki
Jump to: navigation, search

This page is a snapshot of a previous version of Mozilla's CA Certificate Policy. Click here to view Mozilla's Current CA Certificate Policy.

Mozilla CA Certificate Inclusion Policy (Version 2.0)

This section of the Mozilla CA Certificate Policy describes the obligations of Certification Authorities applying for inclusion of their root certificates in Mozilla Products. This includes considerations that are taken into account such as the CA's publicly available documentation about their policies, and audits of the CA's operations in support of the documented policies.

This is the official Mozilla policy for Certification Authorities applying for inclusion of their CA Certificates to be distributed in Mozilla products:

  1. We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products.
  2. We will make such decisions through a public process, based on objective and verifiable criteria as described below.
  3. We will not charge any fees to have a CA's certificate(s) distributed with our software products.
  4. We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security, for example, with CAs that
    • knowingly issue certificates without the knowledge of the entities whose information is referenced in the
    • knowingly issue certificates that appear to be intended for fraudulent use.
    • This also includes (but again is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) might cause technical problems with the operation of our software, for example, with CAs that issue certificates that have
      • ASN.1 DER encoding errors;
      • invalid public keys (e.g., DSA certificates with 2048-bit primes, or RSA certificates with public exponent equal to 1);
      • duplicate issuer names and serial numbers;
      • incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer's issuer name and serial number); or
      • cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists.
  5. We will consider adding certificates for additional CAs to the default certificate set upon request only by an authorized representative of the subject CA.
  6. We require that all CAs whose certificates are distributed with our software products:
    • provide some service relevant to typical users of our software products;
    • publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement);
    • prior to issuing certificates, verify certificate signing requests in a manner that we deem acceptable for the stated purpose(s) of the certificates;
    • verify that all of the information that is included in SSL certificates remains current and correct at time intervals of thirty-nine months or less;
    • otherwise operate in accordance with published criteria that we deem acceptable; and
    • provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations.
  7. We consider verification of certificate signing requests to be acceptable if it meets or exceeds the following requirements:
    • all information that is supplied by the certificate subscriber must be verified by using an independent source of information or an alternative communication channel before it is included in the certificate;
    • for a certificate to be used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf;
    • for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;
    • for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;
    • for certificates to be used for and marked as Extended Validation, the CA complies with Guidelines for the Issuance and Management of Extended Validation Certificates version 1.2 or later.
    • We reserve the right to use other requirements in the future.
  8. When the CA uses an email challenge-response mechanism to validate that the certificate subscriber has control of the requested domain, the CA must either use a mail system address from the technical or administrative contact information in the domain's WHOIS record, or one formed by prefacing the registered domain with one of the following local parts: admin, administrator, webmaster, hostmaster, or postmaster.
  9. We consider the criteria for CA operations published in any of the following documents to be acceptable:
  10. By "competent party" we mean a person or other entity who is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant government agency) or for whom there is sufficient public information available to determine that the party is competent to judge the CA's conformance to the stated criteria. In the latter case the "public information" referred to should include information regarding the party's
    • knowledge of CA-related technical issues such as public key cryptography and related standards;
    • experience in performing security-related audits, evaluations, or risk analyses; and
    • honesty and objectivity.
  11. By "independent party" we mean a person or other entity who is not affiliated with the CA as an employee or director and for whom at least one of the following statements is true:
    • the party is not financially compensated by the CA;
    • the nature and amount of the party's financial compensation by the CA is publicly disclosed; or
    • the party is bound by law, government regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA.
  12. We reserve the right to designate our own representative(s) to act as the competent independent party or parties described above, should that prove to be necessary and appropriate.
  13. The burden is on the CA to prove that it has met the above requirements. However the CA may request a preliminary determination from us regarding the acceptability of the criteria and/or the competent independent party or parties by which it proposes to meet the requirements of this policy.
  14. We rely on publicly disclosed documentation (e.g., in a Certificate Policy and Certification Practice Statement) and publicly disclosed audit statements to ascertain that the above requirements are met. Therefore, inclusion requests will only be considered if the following are true:
    • the publicly disclosed documentation provides sufficient information for Mozilla to determine whether and how the CA complies with this policy, including a description of the steps taken by the CA to verify certificate signing requests;
    • the documentation is available from the CA's official website; and
    • the public attestation of the CA's conformance to the stated verification requirements by a competent independent party indicates which policy documents were included in the review.
  15. To request that its certificate(s) be added to the default set a CA should submit a formal request by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product. Mozilla's wiki page, Applying for root inclusion in Mozilla products, provides further details about how to submit a formal request. The request must be made by an authorized representative of the subject CA, and should include the following:
    • the certificate data (or links to the data) for the CA certificate(s) requested for inclusion;
    • for each CA certificate requested for inclusion, whether or not the CA issues certificates for each of the following purposes within the CA hierarchy associated with the CA certificate:
      • SSL-enabled servers,
      • digitally-signed and/or encrypted email, or
      • digitally-signed executable code objects;
    • for each CA certificate requested for inclusion, whether the CA issues Extended Validation certificates within the CA hierarchy associated with the CA certificate and, if so, the EV policy OID associated with the CA certificate;
    • a Certificate Policy and Certification Practice Statement (or links to a CP and CPS) or equivalent disclosure document(s) for the CA or CAs in question; and
    • information as to how the CA has fulfilled the requirements stated above regarding its verification of certificate signing requests and its conformance to a set of acceptable operational criteria.
    • We will reject requests where the CA does not provide such information within a reasonable period of time after submitting its request.
  16. We have appointed a CA certificate "module owner" and (optionally) one or more "peers" to evaluate CA requests on our behalf and make decisions regarding all matters relating to CA certificates included in our products. CAs or others objecting to a particular decision may appeal to the Mozilla governance module owner or peer(s), who will make a final decision.

This policy applies only to software products distributed by Mozilla, including the Mozilla Foundation and its subsidiaries. Other entities distributing such software are free to adopt their own policies. In particular, under the terms of the relevant Mozilla license(s) distributors of such software are permitted to add or delete CA certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on CA certificates in the default CA certificate set. As with other software modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the Mozilla trademark policy for more information.

Please contact Mozilla at certificates@mozilla.org for more information about this policy and answers to related questions.

We reserve the right to change this policy in the future. We will do so only after consulting with the public Mozilla community, in order to ensure that all views are taken into account.