CA:RootTransferPolicy: Difference between revisions

Jump to navigation Jump to search

CA:RootTransferPolicy (view source)

Revision as of 21:25, 30 July 2015

122 bytes added ,  30 July 2015
→‎Physical Relocation
Line 17: Line 17:


== Physical Relocation ==
== Physical Relocation ==
Physical relocation of the root certificate's private key may occur when a CA:
Physical relocation of a root certificate's private key may occur when an organization:
* Moves their private keys to another location owned by the same organization.  
* Moves their private keys to another location owned by the same organization.  
* Transfers the private keys to another organization that already operates other root certificates included in Mozilla’s program.
* Transfers the private keys to another organization that already operates other root certificates included in Mozilla’s program.
* Transfers the private keys to another organization that does not currently operate root certificates included in Mozilla’s program.
* Transfers the private keys to another organization that does not currently operate root certificates included in Mozilla’s program.


Whenever a root certificate's private key is going to be physically relocated, the CA should take the following steps, and [https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/ immediately notify Mozilla if a problem occurs].
Whenever a root certificate's private key is going to be physically relocated, the organizations involved should take the following steps, and [https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/ immediately notify Mozilla if a problem occurs].
# Make sure the annual audit statements are current, and [mailto:certificates@mozilla.org notify Mozilla of the pending change].
# Make sure the annual audit statements are current, and [mailto:certificates@mozilla.org notify Mozilla of the pending change].
# Create a transfer plan (and legal agreement if more than one CA is involved) and have it reviewed by the auditors.  
# Create a transfer plan (and legal agreement if more than one organization is involved) and have it reviewed by the auditors.  
#* For example, the transfer ceremony should have a documented ceremony witnessed by auditors and recorded (for posterity), with a physical exchange of the HSM and a physical exchange of the multi-party authorization keys.
#* For example, the transfer ceremony should have a documented ceremony witnessed by auditors and recorded (for posterity), with a physical exchange of the HSM and a physical exchange of the multi-party authorization keys.
# Stop new certificate issuance at the current site before the transfer begins.
# Stop new certificate issuance at the current site before the transfer begins.
Line 32: Line 32:
# The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.
# The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.


When the physical relocation involves moving the certificate's private key to another CA, the CA who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original CA will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement confirming successful transfer of the root certificate.
When the physical relocation involves moving the certificate's private key to another organization, the original organization who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement confirming successful transfer of the root certificate.


The CA that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].  
The new organization that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].  


The agreement between the original CA and new CA must take the Websites (SSL/TLS), Email (S/MIME), and Code Signing trust bit settings into account, and the original CA must inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit the new CA will have to go through [[CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root|Mozilla's root change process]].
The agreement between the original organization and new organization must take the Websites (SSL/TLS), Email (S/MIME), and Code Signing trust bit settings into account, and the original CA must inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit the new organization will have to go through [[CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root|Mozilla's root change process]].


== Personnel Changes ==
== Personnel Changes ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1087567"

Navigation menu