CA:RootTransferPolicy: Difference between revisions

CA:RootTransferPolicy (view source)

Revision as of 23:01, 28 May 2015

43 bytes added , 28 May 2015

→‎Physical Relocation

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 18: / Line 18: @@
 # Stop new certificate issuance at the current site before the transfer begins.
 # Have an audit performed at the current site to confirm when the root certificate is ready for transfer, and to make sure the key material is properly secured.
-# At the new site, perform an audit to confirm that the transfer was successful, that they private key remained secure throughout the transfer, and that the root certificate is ready to resume issuance (i.e. a PITRA; just as we expect any new root to be audited).
+# At the new site perform an audit to confirm that the transfer was successful, that the private key remained secure throughout the transfer, and that the root certificate is ready to resume issuance (i.e. a PITRA; just as we expect any new root to be audited).
-# Send updated CP/CPS and the PITRA statement to Mozilla
+# Send updated CP/CPS and the PITRA statement to Mozilla.
 # The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.
-When the physical relocation involves moving the certificate's private key to another CA, the CA who is transferring the root certificate’s private key must ensure that the transfer recipient is able to meet [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and will continue to be responsible for the root until the transfer recipient has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement confirming successful transfer of the root.
+When the physical relocation involves moving the certificate's private key to another CA, the CA who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original CA will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement confirming successful transfer of the root.
-The new CA must follow Mozilla's policy, and provide public-facing CP/CPS documentation and audit statements. So, the new CA has to send Mozilla the URLs to those.
+The CA that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].
-https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
-https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
-The agreement between the current and new CAs must take the trust bit settings into account (Websites (SSL/TLS), Email (S/MIME), and Code Signing), and the current and new CAs should inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit requires the new CA to go through [[CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root|Mozilla's root change process]].
+The agreement between the original CA and new CA must take the Websites (SSL/TLS), Email (S/MIME), and Code Signing trust bit settings into account, and the original CA must inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit the new CA will have to go through [[CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root|Mozilla's root change process]].
 == Personnel Changes ==