Confirm, administrator
5,526
edits
Changes
m
updated references to policies
* Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
* Input and maintain the CA’s data in the [http://ccadb.org/ Common CA Database (CCADB)]
* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per items 4 through 7 of ** [http://ccadb.org/policy#2-contact-information Common CCADB Policy]** [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy #ca-operational-changes Mozilla's Root Store Policy].
* [mailto:certificates@mozilla.org Provide Mozilla] with updated contact information if a new person becomes a POC.
#* If any such cross-signing relationships exist, it is important to note whether the cross-signing CAs' certificates are already included in the Mozilla root store or not.
# Technical Constraints or Audits of Third-Party Issuers.
#* As per Items #8, 9, and 10 section 5.3 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy], provide a URL to a web page or a Bugzilla Bug Number that lists the required data for all of your publicly disclosed non-technically-constrained subordinate CA certificates that chain up to certificates in Mozilla's CA program, and contains the required information according to section 10 of [https. This data may be provided as follows://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy]. #** Already-included CAs may provide this information directly in the [http://ccadb.org/cas/intermediates CCADB].#** If you decide need to use the mozilla.org Bugzilla system to provide this information, then file the bug against the "CA Certificate Root Program" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Root Program)
== Verification Policies and Practices ==
# Documentation: CP, CPS, and Relying Party Agreements
#*The publicly accessible URLs to the document repository and the published document(s) describing how certificates are issued within the hierarchy rooted at this root, as well as other practices associated with the root CA and other CAs in the hierarchy, including in particular the Certification Practice Statement(s) (CPS) and related documents.
#*The document(s) and section number(s) where the "Commitment to Comply" with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] may be found, as per BR #8.3 (section 2.2 in BR version 1.3)BRs.
#* [[CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|CP/CPS Documents will be reviewed]], and must contain sufficient information for Mozilla and the CA Community to evaluate the CA's processes in regards to Mozilla's policies and the CA/Browser Forum's Baseline Requirements.
#** English translations must be provided for the relevant CP/CPS documents, and must match the current version of the CP/CPS documents.
# Audits
#* The publicly accessible URLs to the published document(s) relating to independent audit(s) of the root CA and any CAs within the hierarchy rooted at the root. For example, for WebTrust for CAs audits this would be the "audit report and management assertions" document available from the webtrust.org site or elsewhere.
#** Section 6 As per section 3.1 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]: "We require that all CAs whose certificates are distributed with our software products: ... provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations."#* We , we need a publishable (non-confidential) statement or letter from an auditor (who meets the requirements of the Mozilla CA Certificate Policy) that states that they have reviewed the practices as outlined in the CP/CPS for these roots and their CA hierarchies, and that the CA does indeed follow these practices and meets the requirements of one or more of:
#** WebTrust "Principles and Criteria for Certification Authorities 2.0" or later and "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0" or later (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities;
#** WebTrust "Principles and Criteria for Certification Authorities - Extended Validation SSL 1.4.5” or later in WebTrust Program for Certification Authorities;
#* Renewed root certificates also need to be included in audits. If the root certificate was created after the most recent audit, then provide an estimate of when the new audit report (that includes the operations of the new root) will be available.
#* Government CAs
#** According to section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#required-audits Mozilla's Root Store Policy], the audit must be performed according to criteria that is equivalent to one (or more) of ETSI TS 101 456, ETSI TS 102 042, ETSI EN 319 411, or WebTrust CA. The government’s auditing agency should provide a statement about which of these their government criteria is equivalent to.#** According to sections 10 and 11 of [Mozilla's Root Store Policy], it is acceptable for a government auditing organization to perform the audit of the government’s CA organization. It must be clear that the CA organization does not audit itself.
# SSL Verification Procedures
#* If you are requesting to enable the Websites (SSL/TLS) trust bit...
