CA/Information Checklist: Difference between revisions

Jump to navigation Jump to search

CA/Information Checklist (view source)

Revision as of 16:25, 24 October 2017

162 bytes added ,  24 October 2017
updated links - continuation
(updated links)
(updated links - continuation)
Line 3: Line 3:
In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.
In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.


CAs wishing to have their certificates included in Mozilla products must comply with the requirements of the [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla Root Store Policy] and must supply the information necessary to determine whether or not the policy’s requirements have been satisfied. The information must be provided in a Mozilla Bugzilla bug as described in [[CA:How_to_apply|How_to_apply.]] This information includes (but is not necessarily limited to) the information listed in this page.
CAs wishing to have their certificates included in Mozilla products must comply with the requirements of the [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla Root Store Policy] and must supply the information necessary to determine whether or not the policy’s requirements have been satisfied. The information must be provided in a [[CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request|Mozilla Bugzilla bug]] as described in [[CA/Application_Process|Mozilla's Application Process Overview]]. This information includes (but is not necessarily limited to) the information listed in this page.


The information provided by the CA will be verified by a representative of Mozilla to the maximum extent practicable using CAs’ published documentation. Statements attributed to third parties (e.g., auditors) shall be verified with those parties. The information gathered should be published through the appropriate Mozilla channels (e.g., web sites, bug reports, and/or discussion forums).
The information provided by the CA will be verified by a representative of Mozilla to the maximum extent practicable using CAs’ published documentation. Statements attributed to third parties (e.g., auditors) shall be verified with those parties. The information gathered should be published through the appropriate Mozilla channels (e.g., web sites, bug reports, and/or discussion forums).
Line 39: Line 39:


The POCs will:
The POCs will:
* Provide [[CA:CommonCADatabase#Updating_Audit_Information|annual audit statements]]
* Provide [http://ccadb.org/cas/updates annual updates] of CP/CPS documents, audit statements, and test websites.
* Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
* Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
* Make sure the CA’s information in the [http://ccadb.org/ Common CA Database (CCADB)] remains current
* Input and maintain the CA’s data in the [http://ccadb.org/ Common CA Database (CCADB)]
* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per items 4 through 7 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy].
* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per items 4 through 7 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy].
* [mailto:certificates@mozilla.org Provide Mozilla] with updated contact information if a new person becomes a POC.
* [mailto:certificates@mozilla.org Provide Mozilla] with updated contact information if a new person becomes a POC.
* Input and maintain the CA's [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|intermediate certificate data]] in the [[CA:CommonCADatabase|Common CA Database]].


Required contact information:
Required contact information:
Line 86: Line 85:
#* Please provide the 3 URLs to the test websites as described in Section 2.2 of the BRs: "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired
#* Please provide the 3 URLs to the test websites as described in Section 2.2 of the BRs: "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired
#* Make sure you test it yourself in Firefox first, by doing the following:
#* Make sure you test it yourself in Firefox first, by doing the following:
#*# Restore the default certificate settings as described [[CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings | here]].
#*# Create a new Firefox Profile for testing, as described in Mozilla's knowledge base articles: [http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles Profile Manager] and [http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows Creating a new Firefox Profile].
#*# Import the root certificate as described [[CA:UserCertDB#Importing_a_Root_Certificate | here]].
#*# Import the root certificate as described [[PSM:Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate|here]].
#*# Set OCSP hard fail as described [[CA:Recommended_Practices#OCSP | here]].
#*# Set OCSP hard fail as described [[CA/Required_or_Recommended_Practices#OCSP|here]].
#*# Clear browser history
#*# Clear browser history
#*# Browse to the test website.
#*# Browse to the test website.
Line 149: Line 148:
#*** It might also include subordinate CAs operated for the benefit of specific third parties. In this case note that we do ''not'' require that the CA submit a complete customer list; rather we are interested in the general type and nature of the third-party arrangements.
#*** It might also include subordinate CAs operated for the benefit of specific third parties. In this case note that we do ''not'' require that the CA submit a complete customer list; rather we are interested in the general type and nature of the third-party arrangements.
# Sub CAs Operated by 3rd Parties
# Sub CAs Operated by 3rd Parties
#*If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the [[CA:SubordinateCA_checklist | Subordinate CA Checklist]]
#*If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the [[CA/Subordinate_CA_Checklist|Subordinate CA Checklist]]
#* If the CA functions as a super CA such their CA policies and auditing don't apply to the subordinate CAs, then those CAs must apply for inclusion themselves as separate trust anchors.
#* If the CA functions as a super CA such their CA policies and auditing don't apply to the subordinate CAs, then those CAs must apply for inclusion themselves as separate trust anchors.
# Cross-Signing
# Cross-Signing
Line 168: Line 167:
#*The publicly accessible URLs to the document repository and the published document(s) describing how certificates are issued within the hierarchy rooted at this root, as well as other practices associated with the root CA and other CAs in the hierarchy, including in particular the Certification Practice Statement(s) (CPS) and related documents.  
#*The publicly accessible URLs to the document repository and the published document(s) describing how certificates are issued within the hierarchy rooted at this root, as well as other practices associated with the root CA and other CAs in the hierarchy, including in particular the Certification Practice Statement(s) (CPS) and related documents.  
#*The document(s) and section number(s) where the "Commitment to Comply" with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] may be found, as per BR #8.3 (section 2.2 in BR version 1.3).
#*The document(s) and section number(s) where the "Commitment to Comply" with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] may be found, as per BR #8.3 (section 2.2 in BR version 1.3).
#* [[CA:Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|CP/CPS Documents will be reviewed]], and must contain sufficient information for Mozilla and the CA Community to evaluate the CA's processes in regards to Mozilla's policies and the CA/Browser Forum's Baseline Requirements.  
#* [[CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|CP/CPS Documents will be reviewed]], and must contain sufficient information for Mozilla and the CA Community to evaluate the CA's processes in regards to Mozilla's policies and the CA/Browser Forum's Baseline Requirements.  
#** English translations must be provided for the relevant CP/CPS documents, and must match the current version of the CP/CPS documents.
#** English translations must be provided for the relevant CP/CPS documents, and must match the current version of the CP/CPS documents.
# Audits
# Audits
Line 199: Line 198:
#* If you are requesting to enable the Websites (SSL/TLS) trust bit...
#* If you are requesting to enable the Websites (SSL/TLS) trust bit...
#** URLs and section/page number information pointing directly to the sections of the CP/CPS documents that describe the procedures for verifying that the domain referenced in an SSL cert is owned/controlled by the subscriber.  
#** URLs and section/page number information pointing directly to the sections of the CP/CPS documents that describe the procedures for verifying that the domain referenced in an SSL cert is owned/controlled by the subscriber.  
#*** [[CA:Recommended_Practices#Verifying_Domain_Name_Ownership | Recommended Practices for Verifying Domain Name Ownership]]
#*** [[CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership|Recommended Practices for Verifying Domain Name Ownership]]
#** If a challenge-response mechanism via email is used to confirm the ownership/control of the domain name, then provide the list of email addresses that are used for verification.  
#** If a challenge-response mechanism via email is used to confirm the ownership/control of the domain name, then provide the list of email addresses that are used for verification.  
#*** [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs | Potentially Problematic Practices in regards to Email Address Prefixes]] -- The list that the CA uses must either match or be a subset of the list in this wiki page.
#*** [[CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs | Potentially Problematic Practices in regards to Email Address Prefixes]] -- The list that the CA uses must either match or be a subset of the list in this wiki page.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1182795"

Navigation menu