CA/External Sub CAs: Difference between revisions

Jump to navigation Jump to search

CA/External Sub CAs (view source)

Revision as of 23:25, 7 April 2022

9 bytes removed ,  7 April 2022
More hyperlink edits
(Edits to hyperlinks)
(More hyperlink edits)
Line 12: Line 12:
The root CA operator MUST complete the following process and receive written approval from Mozilla before a non-technically-constrained (according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates MRSP section 5.3]) externally-operated subordinate CA begins issuing certificates under the conditions stated in section 8.4 of [https://www.mozilla.org/projects/security/certs/policy/ MRSP].
The root CA operator MUST complete the following process and receive written approval from Mozilla before a non-technically-constrained (according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates MRSP section 5.3]) externally-operated subordinate CA begins issuing certificates under the conditions stated in section 8.4 of [https://www.mozilla.org/projects/security/certs/policy/ MRSP].


This approval process is essentially the same approval [https://wiki.mozilla.org/CA/Application_Process#Process_Overview process used for root inclusion requests], with the main difference being that the root CA operator collects the information from the potential subordinate CA operator, creates a corresponding Bugzilla Bug, and provides the results of their own detailed review. Then a Mozilla representative or a CA Community representative (as agreed by the Mozilla representative) will perform an additional detailed review of the subordinate CA’s CP/CPS and audit documents and provide their findings in the Bugzilla Bug. Then a representative of Mozilla starts a discussion in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] as described in the [[CA/External_Sub_CAs#Public_Discussion|Public Discussion]] section below.
This approval process is essentially the same approval [CA/Application_Process#Process_Overview process used for root inclusion requests], with the main difference being that the root CA operator collects the information from the potential subordinate CA operator, creates a corresponding Bugzilla Bug, and provides the results of their own detailed review. Then a Mozilla representative or a CA Community representative (as agreed by the Mozilla representative) will perform an additional detailed review of the subordinate CA’s CP/CPS and audit documents and provide their findings in the Bugzilla Bug. Then a representative of Mozilla starts a discussion in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] as described in the [[CA/External_Sub_CAs#Public_Discussion|Public Discussion]] section below.


Approval of one type of certificate issuance (e.g. email) for a subordinate CA operator does '''not''' imply that another type of certificate issuance (e.g. TLS) would be approved for the same CA operator.
Approval of one type of certificate issuance (e.g. email) for a subordinate CA operator does '''not''' imply that another type of certificate issuance (e.g. TLS) would be approved for the same CA operator.
Line 50: Line 50:
== Bugzilla Bug ==
== Bugzilla Bug ==


[[https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA Certificate Root Program&product=NSS&bug_severity=enhancement&short_desc=[your CA's name] New Subordinate CA Request|Create a new Bugzilla Bug report]] corresponding to your request.
[https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=NSS&bug_severity=enhancement&short_desc=(Your%20CA's%20name)%20New%20Subordinate%20CA%20Request Create a new Bugzilla Bug report] corresponding to your request.


● https://bugzilla.mozilla.org/enter_bug.cgi
● https://bugzilla.mozilla.org/enter_bug.cgi
Bwilson
Confirmed users
577

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1241744"

Navigation menu