Changes

Jump to: navigation, search

CA/Certificate Change Process

205 bytes added, 17:22, 13 November 2023
Remove or Disable a Root: Updated with information about security incident reporting
Reasons for removing or disabling a root certificate may include:
* [https://wiki.mozilla.org/CA/Vulnerability_Disclosure Security Compromise]
* Expired or Expiring CA
* Small modulus key length
'''Important:''' Root changes that are motivated by a serious security concern such as a root compromise should be treated as a security-sensitive bug, and a [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Security%20Vulnerability&groups=ca-program-security secure bug filed in Bugzilla].
The Otherwise, the ordinary or usual process for removing or disabling a root in NSS is as follows:
# Initiate the request:
#* [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Remove%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 File a bug in Bugzilla] with the following information:
#* The bug may be marked as security-sensitive. Security-sensitive bugs can be viewed only by a select set of Bugzilla users, not by the general public.
#** The security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update changing the trust bits of the root.
#* In most situations , an authoritative representative of the CA must request or approve the change. Mozilla reserves the right to approve the change without the consent of the CA.
# The bug will be assigned to the Mozilla representative who is appointed to evaluate the request. This will usually be the [[Modules/Activities#CA_Certificates|CA Certificates Module Owner]].
# The Mozilla representative will ensure the necessary information has been provided.
#** Two Mozilla staff members, if the CA is not in agreement.
# The Mozilla representative will deliver any preliminary decisions
#* It may be necessary to treat the bug as a sensitive security issue and follow the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs]or the '''[https://wiki.mozilla.org/CA/Vulnerability_Disclosure root program's security incident reporting process]'''.
# Implementation
#* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request.
Bwilson
Confirm
359
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1248939"

Navigation menu