Changes

* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSS NSS CA%20Program CA Program :: CA Certificate Compliance] - Problems found in certificates issued by Certificate Authorities included in the default certificate store.

* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSS NSS CA%20Program CA Program :: CA Certificate Root Program] - For Certificate Authorities to file requests asking for their certificates to be included in the default certificate store.

* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=Common%20CA%20Database&product=NSS NSS CA%20Program CA Program :: Common CA Database] - For requesting updates to the [https://www.ccadb.org/ Common CA Database (CCADB)].

The CA Certificate Program deviates from Mozilla's standardized [[Bugmasters/Process/Triage|Bugzilla Bug Triage]] process by not using bug priorities (P1, P2, P3, or P5), because [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSS CA%20Program CA Certificate Root Program bugs] do not directly include code changes to Mozilla's [[RapidRelease/Calendar|release trains]] or iterations.

* https://bugzilla.mozilla.org/enter_bug.cgi?product=NSSCA%20Program&component=CA%20Certificate%20Compliance

The whiteboard tags for [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSS NSS CA%20Program CA Program :: CA Certificate Compliance] are:* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-compliance [ca-compliance]] -- For concerns about a CA's certificates failing to comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] and/or the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements], and it is not considered to be an [https://www.mozilla.org/en-US/security/#For_Developers imminent security concern].* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=auditor-compliance [auditor-compliance]] -- For concerns about an auditor failing to properly detect and report on CA compliance issues that occurred during one or more periods when the CA was audited.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=delayed-revocation-ca [delayed-revocation-ca]] or [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=delayed-revocation-leaf [delayed-revocation-leaf]] -- appended after [ca-compliance] whenever a CA fails to abide by the Baseline Requirements' requirement to revoke certificates in a timely fashion.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=audit-delay [audit-delay]] -- appended after [ca-compliance] when a CA is unable to provide audit statements within one year and 3 months of the previous audit period end date.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Compliance&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=covid-19 [covid-19]] -- appended after [ca-compliance], [audit-delay], or [delayed-revocation-ca] when delays are due to mandated restrictions regarding COVID-19.

The whiteboard tags for [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSS NSS CA%20Program CA Program :: CA Certificate Root Program] are:* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-initial [ca-initial]] -- not enough information to begin the Information Verification phase, or not yet assigned to someone to do the Information Verification* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-verifying [ca-verifying]] -- in [[CA/Application_Verification#Information_Verification|Information Verification]] phase. This is a high-level review to ensure that all of the [[CA/Information_Checklist|required data]] has been provided and the appropriate tests run.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-cps-review [ca-cps-review]] -- in [[CA/Application_Verification#Detailed_Review|Detailed Review]] phase, in which all of the relevant CP/CPS and audit documents will be [[CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|thoroughly reviewed]]. During this phase, the CA may be required to update their CP/CPS and audit documents to become fully aligned with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy].* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-ready-for-discussion [ca-ready-for-discussion yyyy-mm-dd]] -- Information Verification and Detailed Review phases complete. Ready for [[CA/Application_Verification#Public_discussion|public discussion]]. In parentheses add date when Detailed Review phase was completed.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-in-discussion [ca-in-discussion]] -- in discussion in the [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP mailing list].* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-discussion-hold [ca-discussion-hold]] -- discussion on hold, pending CA actions.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-hold [ca-hold]] -- CA's request is on hold, typically because the CA is a super-CA, so all of their subCAs have to achieve inclusion first.* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-pending-approval [ca-pending-approval]] -- final notice of intent to approve the CA's request* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-approved [ca-approved]] -- request is approved, pending code changes in NSS, also including certs which are in NSS and pending code changes in PSM* [https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=NSSCA%20Program&component=CA%20Certificate%20Root%20Program&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-denied&keywords_type=allwords&keywords=&bug_id=&bug_id_type=anyexact&votes=&votes_type=greaterthaneq&emailtype1=substring&email1=&emailtype2=substring&email2=&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1= [ca-denied]] -- request was denied. Under normal circumstances the CA may submit a new root inclusion request for a new root certificate that fully complies with Mozilla's Root Store policy.

* [https://bugzilla.mozilla.org/buglist.cgi?&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-audit [ca-audits]] -- One bug may be created per CA to store audit statements or CP/CPS documents. ** [https://bugzilla.mozilla.org/enter_bug.cgi?alias=&assigned_to=kwilson@mozilla.com&blocked=&bug_file_loc=http%3A%2F%2F&bug_severity=enhancement&bug_status=NEW&component=CA%20Certificate%20Root%20Program&product=NSS CA%20Program Link to create ca-audit bug]** Make sure the bug has the correct product/component for the CA Certificate Program, which is [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSS NSS CA%20Program CA Program :: CA Certificate Root Program]

* [https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&query_format=advanced&component=CA%20Certificate%20Root%20Program&product=NSSCA%20Program&status_whiteboard_type=allwordssubstr&status_whiteboard=ca-program [ca-program]] -- bugs related to CA Program process, wiki pages, or policy. Note that most [https://github.com/mozilla/pkipolicy/issues CA Program Policy issues] are tracked on Github.