Confirmed users, Administrators
5,526
edits
CA/Root Inclusion Considerations: Difference between revisions
Jump to navigation
Jump to search
CA/Root Inclusion Considerations (view source)
Revision as of 22:53, 30 January 2023
, 30 January 2023drafting
(drafting) |
(drafting) |
||
| Line 35: | Line 35: | ||
* The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage. | * The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage. | ||
* The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government. | * The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government. | ||
== Other Considerations == | |||
Obvious warning signs for CAs who have requested inclusion of their root certificates in Mozilla’s Root Store include but are not limited to the following. CAs exhibiting these warning signs will have to either improve their operations and demonstrate their ability to maintain the higher level of operations, or their root inclusion request will be denied. | |||
The CA: | |||
* Has [[CA/Prioritization|Certificate Change Prioritization]] score of P4 or P5. | |||
* Is not a member of the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit). | |||
* Is a [[CA/Subordinate_CA_Checklist#Super-CAs|Super-CA]] that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy. | |||
* Has audit statements from an auditor whose [[CA/Audit_Statements#Auditor_Qualifications|auditor qualifications]] are insufficient or do not pass the verification checks for [[CA/Audit_Statements#Verifying_WebTrust_Auditor_Qualifications|WebTrust auditors]] or [[CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications|ETSI auditors]]. | |||
* Has gaps between audit periods. | |||
* Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for. | |||
* Does not fully comply with Mozilla’s Root Store Policy or | |||
** https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Required_Practices. | |||
* Does any of the activities listed in https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Forbidden_Practices | |||