Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
Jump to navigation
Jump to search
Directly incorporated instructions, moved from separate wiki page.
m (clarification) |
(Directly incorporated instructions, moved from separate wiki page.) |
||
| Line 261: | Line 261: | ||
= Required Annual Updates = | = Required Annual Updates = | ||
CAs | According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#maintenance Mozilla's CA Certificate Policy], CAs must provide the following updated information annually: | ||
# [[CA: | # Statement of attestation of the CA's conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]. | ||
# | #* If the CA's root certificate has the Websites trust bit set, then statement of attestation of the CA's conformance to the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]. | ||
# URLs to test | #* If the CA's root certificate is enabled for EV treatment, then statement of attestation of the CA's conformance to the [https://cabforum.org/extended-validation/ CA/Browser Forum's EV Guidelines]. | ||
# Links to the CA's current Certificate Policy or Certification Practice Statement document(s) or equivalent disclosure document(s) related to the CA's root certificate(s) included in Mozilla's program. | |||
#* According to section 2.3 of the [https://cabforum.org/baseline-requirements/ CA/Browser Forum's Baseline Requirements]: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements." | |||
# If the CA's root certificate has the Websites trust bit set, then URLs to test web pages as described in section 2.2 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]: "At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired." | |||
== How To Provide Annual Updates == | |||
[[CA:CommonCADatabase#Updating_Audit_Information|Instructions]] for CAs to provide their annual updates via the [[CA:SalesforceCommunity#Common_CA_Database|Common CA Database (CCADB)]] are here: | |||
* [[CA:CommonCADatabase#Updating_Audit_Information|https://wiki.mozilla.org/CA:CommonCADatabase#Updating_Audit_Information]] | |||
== More Frequent Updates == | |||
According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#maintenance Mozilla's CA Certificate Policy], CAs must notify Mozilla whenever: | |||
* The CA's policies and business practices change in regards to verification procedures for issuing certificates, when the [[CA:RootTransferPolicy|ownership control]] of the CA’s certificate(s) changes, or when [[CA:RootTransferPolicy|ownership control]] of the CA’s operations changes. | |||
* The [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|CA's primary representatives]] for their included root certificate(s) changes. | |||
CAs are also required to notify Mozilla via the [[CA:SalesforceCommunity#Common_CA_Database|Common CA Database (CCADB)]] when: | |||
* [[CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce|Intermediate certificates chaining up to root certificates in Mozilla's program are revoked.]] | |||
* [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|Before non-technically-constrained (via EKU, name constraints) intermediate certificates begin issuing publicly-trusted certificates.]] | |||
== Audit Archive == | == Audit Archive == | ||