Confirmed users, Administrators
5,526
edits
CA/Root Inclusion Considerations: Difference between revisions
Jump to navigation
Jump to search
CA/Root Inclusion Considerations (view source)
Revision as of 19:52, 8 February 2023
, 8 February 2023incorporating feedback
(incorporating feedback) |
(incorporating feedback) |
||
| Line 15: | Line 15: | ||
* There is [https://www.merriam-webster.com/legal/reasonable%20suspicion Reasonable suspicion] that the CA is closely tied, through ownership or operation, to a company engaged in any of the following: | * There is [https://www.merriam-webster.com/legal/reasonable%20suspicion Reasonable suspicion] that the CA is closely tied, through ownership or operation, to a company engaged in any of the following: | ||
** the distribution of malware or spyware; | ** the distribution of malware or spyware; | ||
** network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization; or | ** [https://en.wikipedia.org/wiki/Computer_and_network_surveillance#Network_surveillance network surveillance] that intercepts/manipulates traffic or collects private information about a person or organization and sends it to another entity without the permission of the person or organization, or in a way that endangers the privacy or device security of the person or organization; or | ||
** cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage. | ** [https://en.wikipedia.org/wiki/Cyber_spying cyber espionage] that aims to obtain private information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage. | ||
* The CA operator is in [https://trust.salesforce.com/blocked a global region that cannot use the CCADB], or is not capable of entering into a contractual agreement with a [https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx US-based] company. | * The CA operator is in [https://trust.salesforce.com/blocked a global region that cannot use the CCADB], or is not capable of entering into a contractual agreement with a [https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx US-based] company. | ||
* The CA operator appears to have: | * The CA operator appears to have: | ||
** Deliberately violated Mozilla's Root Store Policy or other applicable policy; or | ** Deliberately violated the version of Mozilla's Root Store Policy or other applicable policy that was in effect at the time of the violation; or | ||
** Lied, concealed, or failed to disclose the full extent of a problem. | ** Lied, concealed, or failed to disclose the full extent of a problem; or | ||
** Made deceptive or recklessly misleading claims relating to operation of the CA or the use of its certificates. | |||
* The CA operator has: | * The CA operator has: | ||
** Repeated incidents of certificate mis-issuance that the CA operator previously claimed to have resolved; | ** Repeated incidents of certificate mis-issuance that the CA operator previously claimed to have resolved; | ||
| Line 33: | Line 34: | ||
* The CA’s provided address is a P.O. box, mail drop, or an address shared with numerous other companies/entities. (e.g. shell corporate registry) | * The CA’s provided address is a P.O. box, mail drop, or an address shared with numerous other companies/entities. (e.g. shell corporate registry) | ||
* The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store. | * The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store. | ||
* The CA's representatives are not fully transparent on matters such as legal domicile and | * The CA's representatives are not fully transparent on matters such as legal domicile and Control. | ||
** "Control" (and its correlative meanings, "controlled by" and "under common control with") means possession, directly or indirectly, of the power to: (1) direct the management, personnel, finances, or plans of such entity; (2) control the election of a majority of the directors ; or (3) vote that portion of voting shares required for "control" under the law of the entity's Jurisdiction of Incorporation or Registration but in no case less than 10%. | |||
* The CA has physical, monetary, or business nexus to a government of a country that | * The CA has physical, monetary, or business nexus to a government of a country that | ||
** has an [https://freedomhouse.org/countries/freedom-net/scores Internet Freedom Score] less than 50; or | ** has an [https://freedomhouse.org/countries/freedom-net/scores Internet Freedom Score] less than 50; or | ||
| Line 46: | Line 48: | ||
The CA: | The CA: | ||
* Has [[CA/Prioritization|Certificate Change Prioritization]] score of P4 or P5. | * Has [[CA/Prioritization|Certificate Change Prioritization]] score of P4 or P5. | ||
* Fails to provide prompt and | * Fails to provide prompt, detailed, public, and transparent responses to Mozilla inquiries about their CA operations, root inclusion requests, policy documents, audit statements, and incidents. | ||
* Is not a [https://cabforum.org/information-for-potential-members/ voting member], [https://github.com/cabforum/forum/blob/main/Bylaws.md#31-associate-members associate member], or [https://github.com/cabforum/forum/blob/main/Bylaws.md#32-interested-parties interested party] participating in the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit). | * Is not a [https://cabforum.org/information-for-potential-members/ voting member], [https://github.com/cabforum/forum/blob/main/Bylaws.md#31-associate-members associate member], or [https://github.com/cabforum/forum/blob/main/Bylaws.md#32-interested-parties interested party] participating in the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit). | ||
* Is a [[CA/Subordinate_CA_Checklist#Super-CAs|Super-CA]] that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy. | * Is a [[CA/Subordinate_CA_Checklist#Super-CAs|Super-CA]] that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy. | ||
* Has audit statements from an auditor whose [[CA/Audit_Statements#Auditor_Qualifications|auditor qualifications]] are insufficient or do not pass the verification checks for [[CA/Audit_Statements#Verifying_WebTrust_Auditor_Qualifications|WebTrust auditors]] or [[CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications|ETSI auditors]]. | * Has audit statements from an auditor whose [[CA/Audit_Statements#Auditor_Qualifications|auditor qualifications]] are insufficient or do not pass the verification checks for [[CA/Audit_Statements#Verifying_WebTrust_Auditor_Qualifications|WebTrust auditors]] or [[CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications|ETSI auditors]]. | ||
* Has non-contiguous audit periods. | * Has non-contiguous audit periods; meaning that there is one day or more between consecutive audit periods. | ||
* Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for. | * Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for. | ||
* Does not fully comply with Mozilla’s Root Store Policy or | * Does not fully comply with Mozilla’s Root Store Policy or | ||