CA/Information Checklist: Difference between revisions

CA/Information Checklist (view source)

Revision as of 19:42, 24 October 2017

453 bytes removed , 24 October 2017

m

updated references to policies

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 43: / Line 43: @@
 * Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
 * Input and maintain the CA’s data in the [http://ccadb.org/ Common CA Database (CCADB)]
-* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per items 4 through 7 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy].
+* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per
+** [http://ccadb.org/policy#2-contact-information Common CCADB Policy]
+** [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#ca-operational-changes Mozilla's Root Store Policy]
 * [mailto:certificates@mozilla.org Provide Mozilla] with updated contact information if a new person becomes a POC.
@@ Line 156: / Line 158: @@
 #* If any such cross-signing relationships exist, it is important to note whether the cross-signing CAs' certificates are already included in the Mozilla root store or not.
 # Technical Constraints or Audits of Third-Party Issuers.
-#* As per Items #8, 9, and 10 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy], provide a URL to a web page or a Bugzilla Bug Number that lists all of your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, and contains the required information according to section 10 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy].
+#* As per section 5.3 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla's Root Store Policy], provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up to certificates in Mozilla's CA program. This data may be provided as follows:
-#** Already-included CAs may provide this information directly in the CCADB.
+#** Already-included CAs may provide this information directly in the [http://ccadb.org/cas/intermediates CCADB].
-#** If you decide to use the mozilla.org Bugzilla system to provide this information, then file the bug against the "CA Certificate Root Program" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Root Program)
+#** If you need to use the mozilla.org Bugzilla system to provide this information, then file the bug against the "CA Certificate Root Program" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Root Program)
 == Verification Policies and Practices ==
@@ Line 167: / Line 169: @@
 # Documentation: CP, CPS, and Relying Party Agreements
 #*The publicly accessible URLs to the document repository and the published document(s) describing how certificates are issued within the hierarchy rooted at this root, as well as other practices associated with the root CA and other CAs in the hierarchy, including in particular the Certification Practice Statement(s) (CPS) and related documents.
-#*The document(s) and section number(s) where the "Commitment to Comply" with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] may be found, as per BR #8.3 (section 2.2 in BR version 1.3).
+#*The document(s) and section number(s) where the "Commitment to Comply" with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] may be found, as per section 2.2 in BRs.
 #* [[CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|CP/CPS Documents will be reviewed]], and must contain sufficient information for Mozilla and the CA Community to evaluate the CA's processes in regards to Mozilla's policies and the CA/Browser Forum's Baseline Requirements.
 #** English translations must be provided for the relevant CP/CPS documents, and must match the current version of the CP/CPS documents.
 # Audits
 #* The publicly accessible URLs to the published document(s) relating to independent audit(s) of the root CA and any CAs within the hierarchy rooted at the root. For example, for WebTrust for CAs audits this would be the "audit report and management assertions" document available from the webtrust.org site or elsewhere.
-#** Section 6 of [Mozilla's Root Store Policy]: "We require that all CAs whose certificates are distributed with our software products: ... provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations."
+#** As per section 3.1 of [https://www.mozilla.org/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy], we need a publishable (non-confidential) statement or letter from an auditor (who meets the requirements of the Mozilla CA Certificate Policy) that states that they have reviewed the practices as outlined in the CP/CPS for these roots and their CA hierarchies, and that the CA does indeed follow these practices and meets the requirements of one or more of:
-#* We need a publishable (non-confidential) statement or letter from an auditor (who meets the requirements of the Mozilla CA Certificate Policy) that states that they have reviewed the practices as outlined in the CP/CPS for these roots and their CA hierarchies, and that the CA does indeed follow these practices and meets the requirements of one or more of:
 #** WebTrust "Principles and Criteria for Certification Authorities 2.0" or later and "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0" or later (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities;
 #** WebTrust "Principles and Criteria for Certification Authorities - Extended Validation SSL 1.4.5” or later in WebTrust Program for Certification Authorities;
@@ Line 194: / Line 195: @@
 #* Renewed root certificates also need to be included in audits. If the root certificate was created after the most recent audit, then provide an estimate of when the new audit report (that includes the operations of the new root) will be available.
 #* Government CAs
-#** According to section 9 of [Mozilla's Root Store Policy], the audit must be performed according to criteria that is equivalent to one (or more) of ETSI TS 101 456, ETSI TS 102 042, or WebTrust CA. The government’s auditing agency should provide a statement about which of these their government criteria is equivalent to.
+#** According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#required-audits Mozilla's Root Store Policy], the audit must be performed according to criteria that is equivalent to one (or more) of ETSI TS 101 456, ETSI TS 102 042, ETSI EN 319 411, or WebTrust. The government’s auditing agency should provide a statement about which of these their government criteria is equivalent to.
-#** According to sections 10 and 11 of [Mozilla's Root Store Policy], it is acceptable for a government auditing organization to perform the audit of the government’s CA organization. It must be clear that the CA organization does not audit itself.
 # SSL Verification Procedures
 #* If you are requesting to enable the Websites (SSL/TLS) trust bit...

CA/Information Checklist: Difference between revisions

CA/Information Checklist (view source)

Revision as of 19:42, 24 October 2017

Navigation menu

Search