Confirmed users, Administrators
5,526
edits
CA/Certificate Change Process: Difference between revisions
Jump to navigation
Jump to search
Updated to match current process
(Updated to match current process) |
(Updated to match current process) |
||
| Line 68: | Line 68: | ||
#** Product: NSS | #** Product: NSS | ||
#** Component: CA Certificate Root Program | #** Component: CA Certificate Root Program | ||
#** Summary: | #** Summary: Remove <CN or cert name> root cert | ||
#*** Or: Turn off Trust Bit(s) for <CN or cert name> root cert | |||
#** Description: Include the following information | #** Description: Include the following information | ||
#*** Subject/Issuer field values in the root certificate to be changed | #*** Subject/Issuer field values in the root certificate to be changed | ||
#*** SHA256 Fingerprint of the certificate to be changed | #*** SHA256 Fingerprint of the certificate to be changed | ||
#*** Specify if the root is to be removed, or which trust bits are to be turned off | #*** Specify if the root is to be removed, or which trust bits are to be turned off | ||
#**** Consideration: For a serious situation, it might be better to disable the trust bits of that root | #**** Consideration: For a serious situation, it might be better to disable the trust bits of that root, rather than just remove the root. If the root is removed, it could potentially be signed by another root that is included in NSS. However, if we disable the trust bits by default, then that root could not be used again for TLS in Firefox unless a user specifically turned on the websites trust bit for it. | ||
#*** Reason for requesting this change | #*** Reason for requesting this change | ||
#*** Impact that the change may have on Mozilla users | #*** Impact that the change may have on Mozilla users | ||
| Line 93: | Line 94: | ||
# Implementation | # Implementation | ||
#* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request. | #* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request. | ||
#* A Mozilla representative makes the changes in NSS, and requests code review. | #* A Mozilla representative makes the changes in an [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] branch, and requests code review. | ||
#* A Mozilla representative | #* A Mozilla representative commits the changes into NSS, and marks the bug RESOLVED FIXED. | ||
#* A Mozilla representative confirms the changes in Firefox Nightly. | #* A Mozilla representative confirms the changes in Firefox Nightly, then updates the corresponding records in the [https://www.ccadb.org/ CCADB]. | ||
#* For security-sensitive bugs, the security update will proceed as described in [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] | #* For security-sensitive bugs, the security update will proceed as described in [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] | ||
#* For non-security-sensitive requests, some time after the bug is marked as RESOLVED FIXED, various Mozilla products will move to using a version of NSS which contains the change. This process is mostly under the control of the release drivers for those products. | #* For non-security-sensitive requests, some time after the bug is marked as RESOLVED FIXED, various Mozilla products will move to using a version of NSS which contains the change. This process is mostly under the control of the release drivers for those products. | ||