Confirmed users, Administrators
5,526
edits
CA/Application Process: Difference between revisions
Jump to navigation
Jump to search
cleanup
m (fixed link) |
(cleanup) |
||
| Line 23: | Line 23: | ||
# A representative of Mozilla [[CA/Application_Verification#Information_Verification|verifies the information provided by the CA]]. | # A representative of Mozilla [[CA/Application_Verification#Information_Verification|verifies the information provided by the CA]]. | ||
# A representative of Mozilla [[CA/Dashboard#Ready_for_Public_Discussion|adds the request to the queue for public discussion.]] | # A representative of Mozilla [[CA/Dashboard#Ready_for_Public_Discussion|adds the request to the queue for public discussion.]] | ||
# Anyone interested in the CA's application participates in discussions of CA requests | # Anyone interested in the CA's application participates in discussions of CA requests [[CA/Dashboard#In_Public_Discussion|currently in discussion]] in the [https://www.mozilla.org/en-US/about/forums/#dev-security-policy mozilla.dev.security.policy forum]. | ||
# When the application reaches the head of the queue, a representative of Mozilla starts the [https:// | # When the application reaches the head of the queue, a representative of Mozilla starts the [[CA/Application_Verification#Public_discussion|public discussion]] for the CA in the [https://www.mozilla.org/en-US/about/forums/#dev-security-policy mozilla.dev.security.policy forum]. | ||
#* We prefer that at least two independent parties review and comment upon each application. | #* We prefer that at least two independent parties review and comment upon each application. | ||
# A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request. | # A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request. | ||
| Line 36: | Line 36: | ||
#* This is the last call for objection. After one week, if no further questions or concerns are raised, then the representative of Mozilla may approve the request, by stating so in the bug. | #* This is the last call for objection. After one week, if no further questions or concerns are raised, then the representative of Mozilla may approve the request, by stating so in the bug. | ||
# A representative of Mozilla creates a bug requesting the actual changes in NSS (and PSM for EV treatment). | # A representative of Mozilla creates a bug requesting the actual changes in NSS (and PSM for EV treatment). | ||
# | # A representative of the CA confirms that all the data in the NSS bug is correct. | ||
# | # A representative of Mozilla creates a patch with the new CA certificates and trust bit settings, and provides a special test version of Firefox. | ||
# | #* Changes to NSS regarding CA certificate applications are usually grouped and done as a batch when there is either a large set of changes or about every 3 months. | ||
# | # A representative of the CA [[CA/Application_Instructions#Test|tests the code changes]] using the test version of Firefox and confirms (by adding a comment in the NSS bug) that the correct certificate(s) is included and that the trust bits are correctly set. | ||
# | # A representative of Mozilla requests that another Mozilla representative review the patch. | ||
# A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED. | |||
# Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See [https://wiki.mozilla.org/RapidRelease/Calendar Mozilla's Release Calendar.] | # Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See [https://wiki.mozilla.org/RapidRelease/Calendar Mozilla's Release Calendar.] | ||
# After inclusion of the CA's root certificate, a representative of Mozilla issues a [http://ccadb.org/ Common CA Database (CCADB)] license to the Primary Point of Contact for the CA. | # After inclusion of the CA's root certificate, a representative of Mozilla issues a [http://ccadb.org/ Common CA Database (CCADB)] license to the [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for the CA. | ||
# The CA enters data into the CCADB for: | # The CA enters data into the CCADB for: | ||
#* All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s Root Store that are not technically constrained as described in section 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. | #* All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s Root Store that are not technically constrained as described in section 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. | ||