Confirmed users
569
edits
CA/Application Process: Difference between revisions
Jump to navigation
Jump to search
→Who May Apply: Updated links to discussion groups.
m (Added link to wiki page of previous CP/CPS reviews) |
(→Who May Apply: Updated links to discussion groups.) |
||
| Line 8: | Line 8: | ||
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products." Including any CA carries a level of risk that is measured, in part, by the past record of the CA (or lack thereof), their responsiveness (or lack thereof), and the level of competence and precision demonstrated by the CA during the inclusion process. In some cases, a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. It is the applicant's responsibility to justify why their root certificate needs to be included in Mozilla's root store and explain why the inclusion will not introduce undue risk for Mozilla users. See the Mozilla wiki page [[CA/Quantifying_Value|"Quantifying Value: Information Expected of New Applicants"]]. | [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products." Including any CA carries a level of risk that is measured, in part, by the past record of the CA (or lack thereof), their responsiveness (or lack thereof), and the level of competence and precision demonstrated by the CA during the inclusion process. In some cases, a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. It is the applicant's responsibility to justify why their root certificate needs to be included in Mozilla's root store and explain why the inclusion will not introduce undue risk for Mozilla users. See the Mozilla wiki page [[CA/Quantifying_Value|"Quantifying Value: Information Expected of New Applicants"]]. | ||
Having a root certificate you control included in Mozilla's root store is a major ongoing responsibility; it is '''not''' a one-time effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any website and/or email address. There will be associated costs in maintaining the required security infrastructure, keeping up-to-date with evolving technical and procedural requirements, and conducting audits on an annual basis. After a CA has a certificate included in Mozilla's root store, it is expected that the CA will continue to be aware of [https://groups.google.com/ | Having a root certificate you control included in Mozilla's root store is a major ongoing responsibility; it is '''not''' a one-time effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any website and/or email address. There will be associated costs in maintaining the required security infrastructure, keeping up-to-date with evolving technical and procedural requirements, and conducting audits on an annual basis. After a CA has a certificate included in Mozilla's root store, it is expected that the CA will continue to be aware of ongoing discussions in [https://groups.google.com/a/mozilla.org/g/dev-security-policy the Mozilla dev-security-policy list] and [https://groups.google.com/a/ccadb.org/g/public the CCADB discussion group] and updates to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. The CA is required to send regular updates to Mozilla via the [https://ccadb.org/ Common CA Database (CCADB)], including annual updates to their policy and audit documentation. | ||
= Process Overview = | = Process Overview = | ||