Confirmed users
578
edits
CA/External Sub CAs: Difference between revisions
Jump to navigation
Jump to search
Continued editing
(Replaced all page content with new content.) |
(Continued editing) |
||
| Line 18: | Line 18: | ||
A subordinate CA operator only needs to go through this process once for each type of certificate issuance, even if they will be operating multiple subordinate CA certificates, provided that they are operating under the same set of policies and audits. | A subordinate CA operator only needs to go through this process once for each type of certificate issuance, even if they will be operating multiple subordinate CA certificates, provided that they are operating under the same set of policies and audits. | ||
| | {| class="wikitable" | ||
|- | |- | ||
! '''Step''' !! Who performs this step !! Equivalent Step(s) in Mozilla’s root Inclusion Process | |||
|- | |- | ||
| | | Create a [[#_q5mbsbl2xoae|Bugzilla Bug]] containing the [[#_cu9brd1cplce|required documentation]] about the potential subordinate CA operator || Example || Example | ||
|- | |- | ||
| | | Perform a [https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review detailed review] of the potential subordinate CA’s policy and audit documents, and provide findings in the Bugzilla Bug. The potential Subordinate CA operator may update their documentation based on the Root CA operator’s findings, and this step may be re-performed. || Example || Example | ||
|- | |- | ||
| | | Update the Bugzilla Bug to indicate that it is ready for Mozilla review. Set: ● Whiteboard: [subca-cps-review] ● "Request Information From" to bwilson@mozilla.com || Example || Example | ||
|- | |- | ||
| | | Perform a [https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review detailed review] of the potential subordinate CA’s policy and audit documents, provide and summarize the findings in the Bugzilla Bug. || Example || Example | ||
|- | |- | ||
| | | Start a [[#_laru4p1mfydd|public discussion]] in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] summarizing the request and providing links to documentation and evaluations. || Example || Example | ||
|- | |- | ||
| | | Discussion proceeds and the root CA Operator or the potential subordinate CA operator responds to questions and concerns || Example || Example | ||
|- | |- | ||
| | | State Decision in the discussion thread and in the Bugzilla Bug || Example || Example | ||
|- | |- | ||
| | | Add the subordinate CA certificate(s) to the CCADB, if it was not previously added according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates MRSP section 5.3].** || Example || Example | ||
|- | |- | ||
| | | Update the appropriate fields for the CA certificate(s) in the CCADB to indicate that public discussion occurred and that the CA was approved || Example || Example | ||
| | |- | ||
| Update the corresponding records in the CCADB at least annually with current policy and audit documentation. || Example || Example | |||
|} | |||
** Public disclosure of new CA certificates in the CCADB must occur within one week of signing as required by[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited ][https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited MRSP § 5.3.2], including an indication of whether the CA is covered by the same audits as the parent CA or whether it has a separate audit. | ** Public disclosure of new CA certificates in the CCADB must occur within one week of signing as required by[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited ][https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited MRSP § 5.3.2], including an indication of whether the CA is covered by the same audits as the parent CA or whether it has a separate audit. | ||