CA:RootTransferPolicy: Difference between revisions

Jump to navigation Jump to search

CA:RootTransferPolicy (view source)

Revision as of 20:56, 5 August 2016

60 bytes added ,  5 August 2016
m
add (or opinion letter) where an auditor's opinion letter may be used
mNo edit summary
m (add (or opinion letter) where an auditor's opinion letter may be used)
Line 11: Line 11:
An organization operating a root certificate [[CA:IncludedCAs|included in Mozilla's program]] should [mailto:certificates@mozilla.org notify Mozilla] whenever there is a change in legal ownership, and should inform Mozilla about resulting changes to the CP and/or CPS.  
An organization operating a root certificate [[CA:IncludedCAs|included in Mozilla's program]] should [mailto:certificates@mozilla.org notify Mozilla] whenever there is a change in legal ownership, and should inform Mozilla about resulting changes to the CP and/or CPS.  


An organization operating a root certificate [[CA:IncludedCAs|included in Mozilla's program]] should [mailto:certificates@mozilla.org notify Mozilla] whenever there is going to be a change of ownership of an [[CA:IncludedCAs|included root certificate's]] private key. The organization who is transferring ownership of the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate's private key until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement confirming successful transfer of the root certificate.  
An organization operating a root certificate [[CA:IncludedCAs|included in Mozilla's program]] should [mailto:certificates@mozilla.org notify Mozilla] whenever there is going to be a change of ownership of an [[CA:IncludedCAs|included root certificate's]] private key. The organization who is transferring ownership of the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate's private key until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root certificate.  


Whenever the private key of an [[CA:IncludedCAs|included root certificate]] is going to be physically moved to a new location, the steps outlined in the [[CA:RootTransferPolicy#Physical_Relocation|Physical Relocation]] section below should be followed. Whenever the organization (i.e. key personnel) operating the private key of an [[CA:IncludedCAs|included root certificate]] is going to change, the steps outlined in the [[CA:RootTransferPolicy#Personnel_Changes|Personnel Changes]] section below should be followed.
Whenever the private key of an [[CA:IncludedCAs|included root certificate]] is going to be physically moved to a new location, the steps outlined in the [[CA:RootTransferPolicy#Physical_Relocation|Physical Relocation]] section below should be followed. Whenever the organization (i.e. key personnel) operating the private key of an [[CA:IncludedCAs|included root certificate]] is going to change, the steps outlined in the [[CA:RootTransferPolicy#Personnel_Changes|Personnel Changes]] section below should be followed.
Line 30: Line 30:
# The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.
# The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.


When the physical relocation involves moving the certificate's private key to another organization, the original organization who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement confirming successful transfer of the root certificate.
When the physical relocation involves moving the certificate's private key to another organization, the original organization who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root certificate.


The new organization that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].  
The new organization that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].  
Line 44: Line 44:
If transferring the operation of the PKI to a different organization involves physically moving the root certificate's private key and/or the CA's online operations, then the steps outlined in the [[CA:RootTransferPolicy#Physical_Relocation | Physical Relocation]] section above must be followed.
If transferring the operation of the PKI to a different organization involves physically moving the root certificate's private key and/or the CA's online operations, then the steps outlined in the [[CA:RootTransferPolicy#Physical_Relocation | Physical Relocation]] section above must be followed.


In all cases, the organization that is transferring the operation of the PKI must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate until the new organization has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement confirming successful transfer of the root.
In all cases, the organization that is transferring the operation of the PKI must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original organization will continue to be responsible for the root certificate until the new organization has provided Mozilla with their [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]], CP/CPS documentation, and audit statement (or opinion letter) confirming successful transfer of the root.


The new organization operating the PKI must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].
The new organization operating the PKI must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1142880"

Navigation menu