CA:Schedule

From MozillaWiki
Jump to: navigation, search

Schedule for CA evaluations

Note that this schedule is tentative and may change without warning based on unforeseen circumstances. Nothing in this schedule shall be construed as a commitment by the Mozilla Foundation or the Mozilla project in general.

General timeline

Our process for evaluating CA requests is as follows:

  1. CAs will be added into the queue for public discussion after they have completed the Information Gathering and Verification phase as described in CA:How_to_apply.
  2. Prior to entering public discussion we may need to gather further information or an updated audit from the CA; if for some reason we cannot obtain the needed information then the next CA in the queue will be considered for public discussion.
  3. Once a CA enters the public discussion period a representative of the CA must promptly respond in the discussion to any questions or concerns that are raised. If a CA delays their response for more than one week, then their discussion may be closed.
  4. During the course of the discussion, we will make a decision as to whether to approve the request.
  5. If the discussion results in moving forward with approval, then a representative of Mozilla will summarize the request in the bug, and indicate the plan to approve the request. After about one week, if no further questions or concerns are raised, then the representative of Mozilla may approve the request. Once a request is approved then a representative of Mozilla will file bug(s) against the appropriate developer(s) to have the necessary changes made to NSS (for CA root inclusion) or PSM (for EV-enabling a CA) or both.
  6. A discussion may be put on hold, pending a CA action item, such that the discussion may continue as soon as the CA has provided the requested information.
  7. If a request is not approved due to outstanding issues that need to be addressed (e.g., a need for further information, or concerns about CA practices) then the request will wither be closed, or will be added to the list of CAs responding to the first discussion. A second round of public discussion may be needed after the issues have been resolved.

Once bugs are filed against NSS and/or PSM the schedule is set first by the NSS/PSM developer(s) (for making the technical changes) and then by the product teams for Firefox and other products (to include the new changes in a release of Firefox, etc.) Root certificate changes to NSS/PSM are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. When the developer makes the changes, a test build will be provided and the bug will be updated to request that you test it. After the NSS/PSM changes are committed to an NSS release, then a future version of Firefox will include the updated version of NSS/PSM.

Queue for Public Discussion

The following queue indicates the order in which requests will enter public discussion for root inclusion request from CAs who do not currently have a root certificate included in NSS. In general, only one or two of these requests may be in discussion at any given point. The amount of time that each discussion takes varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. For each discussion, there must be input from at least two people who have reviewed and commented on the request. To be added to this queue, a request must first achieve the "Information Confirmed Complete" status.

CA Company Name Bug ID Geographic focus Audit Date yyyy.mm.dd Status Notes
ISRG bug 1204656 Global 2015.09.09 Started Discussion on April 20
GDCA bug 1128392 China 2015.04.10 Ready for Discussion EV -- check if they are re-issuing the root for the new DN (company name change)
OATI bug 848766 US 2015.01.02 certlint errors - bug 848766#c33
MULTICERT bug 1040072 Portugal 2016.04.01 Ready for Discussion
TrustCor bug 1231853 Canada, Global 2015.12.01 Ready for Discussion
Government of Tunisia bug 1233645 Tunisia 2015.11.30 Ready for Discussion
- - - - -

Requests from Already Included CAs that are in or Ready for Discussion

These requests are from CAs that already have roots included in NSS. The requests may be discussed in parallel; the goal is to start each discussion as soon as the information is ready. In general, these requests will remain in discussion for 2 weeks unless further discussion is warranted. To be added to this queue, a request must first achieve the "Information Confirmed Complete" status.

CA Company Name Bug ID Geographic focus Audit Date yyyy.mm.dd Status Notes
GPKI bug 870185 Japan 2015.12.25 Started Discussion on April 27 Constrain to *.go.jp domain. Need BR response audit report before making decision
DocuSign bug 1025095 France 2015.04.09 Started Discussion on February 9 EV. Root Transferred from Keynectis/OpenTrust to DocuSign
Symantec/VeriSign bug 833974 Global 2015.05.05 Started Discussion on April 13 EV for included ECC root, 2 EV OIDs
Amazon bug 1172401 Global 2016.02.24 Ready for discussion EV
Taiwan GRCA bug 1065896 Taiwan 2015.11.25 Ready for discussion constrain to *.tw
Symantec bug 833986 Global 2015.05.05 Ready for discussion Symantec-brand Class 1 and Class 2 roots
EDICOM bug 1239329 European Union 2015.11.03 Ready for discussion
D-Trust bug 1166723 Germany, Europe, Global 2015.11.12 Ready for discussion email trust bit only
- - - - -
- - - - -

Discussions On Hold

The following list shows the CA inclusion/update requests that are in public discussion, but are waiting for the CA to provide additional or updated information that was asked for during the discussion, such as updating or translating the CP/CPS, or completing a more current or full audit. The discussion may continue as soon as the CA provides the additional or updated information.

CA Company Name Bug ID Geographic focus Audit Date yyyy.mm.dd Status Waiting For...
SSC, Lithuanian National Root bug 379152 Lithuania 2015.06.30 Discussion on Hold Waiting for updated CPS
FNMT bug 435736 Spain 2014.12.03 Discussion on Hold Waiting for audits for subCAs. Revoked intermediate certs in bug 1263949 must be added to OneCRL before including this root
LuxTrust bug 944783 Luxembourg 2015.07.22 Discussion on Hold EV -- LuxTrust is updating their request to be for the new root cert instead bug 944783#c43
ComSign bug 675060 Israel 2015.04.26 Discussion on Hold Waiting for updated CPS and full BR Audit
A-Trust bug 1092963 Austria 2015.06.26 Discussion on Hold EV, Waiting for translated CP and CPS
- - - - -

CAs Responding to First Discussion

The following list shows the CAs who have gone through the first round of public discussion, and have resulting action items to complete before the second round of public discussion may begin.

CA Company Name Bug ID Geographic focus Audit Date yyyy.mm.dd Status Notes
KISA 335197 Korea Need Audit Super-CA Super-CA -- Sub-CAs should apply for inclusion separately
Swiss BIT 435026 Switzerland Need Audit Responding to First Discussion Need new root with clear Issuer info, Update CPS
ICP-Brasil 438825 Brazil Need Audit Super-CA Super-CA -- Sub-CAs should apply for inclusion separately
Finnish Population Register 463989 Finland 2008.02.28 Responding to First Discussion national government CA. Need audit for SSL and code signing CPS
US FPKI 478418 US 2012.02.28 Technical Evaluation and Testing *.gov, *.mil
E-ME 518098 Latvia 2011.05.02 Approval Pending Discussion Action Items bug 518098#c95
ANF bug 555156 European Union 2015.01.26 Need CA Response bug 555156#90 EV, certlint errors - bug 555156#c91
CSOEC 844163 France 2012.11.26 On Hold Primary Point of Contact (POC) and relevance concerns

Requests in the Information Gathering and Verification Phase

The following CAs are in the Information Gathering and Verification Phase as described in CA:How_to_apply. These requests need to complete the Information Gathering and Verification Phase before they can be put into the queue for public discussion.

CA Company Name Bug ID Number Geographic focus Notes
SUSCERTE bug 489240 Venezuela Super-CA -- Sub-CAs should apply for inclusion separately
SHECA bug 566310 China
Collier bug 590593 US add to pending
Netrust bug 632292 Singapore
Visa bug 636557 Global
EADTrust bug 640135 Spain add to pending, Regional government CA
PSC-FII bug 667466 Venezuela Signed by SUSCERTE (bug #489240)
CATCert bug 720326 Spain EV
SITHS bug 792337 Sweden
Symantec/Thawte bug 833998 Global EV for included ECC root
Symantec/GeoTrust bug 834004 Global EV for included ECC root
ACRN bug 925740 Uruguay
Athens Exchange bug 967387 Greece
AC Camerfirma bug 986854 Spain EV, add to pending
LAWtrust bug 1023726 South Africa
Orange/Signet bug 1024418 Poland
certEurope bug 1050249 Europe add to pending
SAPO bug 1067887 South Africa
TMCA bug 1090014 Malaysia
Symantec bug 1099311 Global Symantec-brand Class 3 roots, add to pending
Firmaprofesional bug 1102143 Spain EV
Red Abogacia bug 1130333 Spain
Wifi4india bug 1132806 India add to pending
SwissSign bug 1142323 Switzerland EV
WoSign bug 1156175 China EV
DigiCert bug 1165472 Global EV
HydrantID bug 1173547 United States EV
Exdemsys bug 1194577 Portugal add to pending
Systems Authority Institute / CaseLaw bug 1201916 Philippines add to pending
Government of Korea MOI bug 1226100 Korea
Government of Kazakhstan bug 1232689 Kazakhstan
Kamu SM - Government of Turkey bug 1262809 Turkey
Dhimyotis / Certigna bug 1265683 France, Europe

Requests in the Inclusion Phase

The following CAs have been approved and are in the Inclusion Phase as described in CA:How_to_apply.

CA Company Name Bug ID Geographic focus Notes
Unizeto Certum bug 999378 Poland In FF 46, Pending EV
HARICA bug 1201423 Greece

Roots Being Removed

Upcoming Root Cert Removals:

Certs that have been Removed:

Included CAs

Spreadsheet of all included root certificates: