CA:RootTransferPolicy

From MozillaWiki
Jump to: navigation, search

Root Transfer Policy

The purpose of this page is to document Mozilla’s expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are moved to a new location. Throughout such a change, the operation of the root certificate’s private keys and certificate issuance must continue to meet the requirements of Mozilla’s CA Certificate Policy.

In general terms, an organization operating a root certificate included in Mozilla's program should be re-audited and notify Mozilla whenever there is a material change. The rest of this page discusses some instances that would be considered material changes.

Change in Legal Ownership

An example of a change in legal ownership is when one company buys another. This does not necessarily imply that the root certificate's private key will be physically moved to another location. It also does not necessarily imply that there will be a change in operation of the root certificate's private key and certificate hierarchy.

Another example of a change in legal ownership is when an organization buys a root certificate's private key. Such a transition may involve physically relocating the private key, and may involve a change in the key personnel who operate the root certificate's private key and the certificate hierarchy.

An organization operating a root certificate included in Mozilla's program should notify Mozilla whenever there is a change in legal ownership, and should inform Mozilla about resulting changes to the CP and/or CPS.

An organization operating a root certificate included in Mozilla's program should notify Mozilla whenever there is going to be a change of ownership of an included root certificate's private key. The organization who is transferring ownership of the root certificate’s private key must ensure that the transfer recipient is able to fully comply with Mozilla’s CA Certificate Policy. The original organization will continue to be responsible for the root certificate's private key until the transfer recipient has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root certificate and key.

When transferring ownership of a root that is EV-enabled, it should be clearly stated whether the recipient of the root is also receiving the (right to use the) EV policy OID(s) and, if so, it should be confirmed that they have or will get the relevant audits before issuing EV certs.

Whenever the private key of an included root certificate is going to be physically moved to a new location, the steps outlined in the Physical Relocation section below should be followed. Whenever the organization (i.e. key personnel) operating the private key of an included root certificate is going to change, the steps outlined in the Personnel Changes section below should be followed.

No issuance whatsoever is permitted from a root certificate which has changed ownership by being sold by one company to another (as opposed to by acquisition of the owning company) until the receiving company has demonstrated to Mozilla that they have all the appropriate audits, CP/CPS documents and other systems in place. In addition, if the receiving company is new to the Mozilla root program, there must also be a public discussion regarding their admittance to the root program.

Physical Relocation

Mozilla's CA Certificate Policy and the relevant WebTrust and ETSI requirements apply at all times, even during the physical relocation of a CA's online operations to a new data center and moving parts of an offline root certificate from one location to another. As such, an organization operating a root certificate included in Mozilla's program must always ensure that physical access to CA equipment is limited to authorized individuals, the equipment is operated under multiple person (at least dual custody) control, and unauthorized CA system usage is able to be detected at all times. The auditor must confirm that there are appropriate procedures in place to ensure that the requirements are met and that those procedures are followed.

Whenever a CA's online operations and/or the private key of an offline root certificate are going to be physically relocated to be operated by a new organization, the organizations involved should take the following steps, and immediately notify Mozilla if a problem occurs.

  1. Make sure the annual audit statements are current, and notify Mozilla of the pending change.
  2. Create a transfer plan (and legal agreement if more than one organization is involved) and have it reviewed by the auditors.
    • For example, the transfer ceremony should have a documented ceremony witnessed by auditors and recorded (for posterity), with a physical exchange of the HSM or ciphertext containing the associated key material and certificates, and a physical exchange of the multi-party authorization keys.
  3. Stop new certificate issuance at the current site before the transfer begins.
  4. Have an audit performed at the current site to confirm when the root certificate is ready for transfer, and to make sure the key material is properly secured.
  5. At the new site perform an audit to confirm that the transfer was successful, that the private key remained secure throughout the transfer, and that the root certificate is ready to resume issuance. This may be met by including the transferred root certificate and key in the new owner's regular audits (that meet the requirements of Mozilla's CA Certificate Policy); or by getting a PITRA (just as we expect any new root certificate to be audited).
  6. Send links to the updated CP/CPS and the updated audit statements, opinion letter, or PITRA statement to Mozilla.
  7. The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.

When the physical relocation involves moving the certificate's private key to another organization, the original organization who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with Mozilla’s CA Certificate Policy. The original organization will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root certificate and key.

The new organization that received the root certificate's private key must follow Mozilla’s CA Certificate Policy, and send Mozilla links to the public-facing CP/CPS documentation and annual audit statements.

The agreement between the original organization and new organization must take the Websites (SSL/TLS), Email (S/MIME), and Code Signing trust bit settings into account, and the original organization must inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit the new organization will have to go through Mozilla's root change process.

Personnel Changes

Personnel changes may include one or more of the following.

  • Operation of the PKI is transferred to a different organization that is already operating root certificates included in Mozilla’s program.
  • Operation of the PKI is transferred to a different organization that does not currently operate a root certificate included in Mozilla’s program.
  • The organization operating the PKI remains the same, but the organization personnel report to a new management structure.

If transferring the operation of the PKI to a different organization involves physically moving the root certificate's private key and/or the CA's online operations, then the steps outlined in the Physical Relocation section above must be followed.

In all cases, the organization that is transferring the operation of the PKI must ensure that the transfer recipient is able to fully comply with Mozilla’s CA Certificate Policy. The original organization will continue to be responsible for the root certificate until the new organization has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root certificate and key.

The new organization operating the PKI must follow Mozilla’s CA Certificate Policy, and send Mozilla links to the public-facing CP/CPS documentation and annual audit statements.