CA/Responding To An Incident: Difference between revisions

Jump to navigation Jump to search

CA/Responding To An Incident (view source)

Revision as of 22:26, 11 March 2025

304 bytes added ,  11 March
→‎Mozilla’s Expectations on Revocation: Updated based on adoption of MRSP sec. 6.1.3
m (→‎Revocation: Removed "draft")
(→‎Mozilla’s Expectations on Revocation: Updated based on adoption of MRSP sec. 6.1.3)
Line 33: Line 33:
CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in [https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation section 4.9.1] of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs).  
CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in [https://cabforum.org/working-groups/server/baseline-requirements/requirements/#491-circumstances-for-revocation section 4.9.1] of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs).  


Mozilla does not grant exceptions to the revocation requirements of the TLS BRs.  
Per [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#613-delayed-revocation MRSP section 6.1.3], Mozilla does not grant exceptions to the revocation requirements of the TLS BRs.  


Furthermore, to ensure compliance with the TLS BRs, beginning September 1, 2025, Mozilla requires that CA operators:
Furthermore, to ensure compliance with the TLS BRs, beginning September 1, 2025, Mozilla requires that CA operators:
Line 39: Line 39:
* engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation;  
* engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation;  
* include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards; and
* include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards; and
* prepare and maintain credible plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing.
* prepare and maintain comprehensive and actionable plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing through tabletop exercises, simulations, parallel testing, or use of test environments, which do not involve the revocation of active certificates.


Beginning with the CA operator’s next annual audit cycle starting on or after June 1, 2025, each CA operator MUST engage a third-party assessor to evaluate whether the CA operator has:
Beginning with the CA operator’s next annual audit cycle starting on or after June 1, 2025, each CA operator MUST engage a third-party assessor to evaluate whether the CA operator has:
* engage a third party assessor to evaluate whether the CA Operator has:
* well-documented and actionable plans to handle mass revocation events;   
** credible plans to handle mass revocation events;   
* demonstrated the implementation and feasibility of the plans, through testing exercises including documentation of testing, processes, timelines, results, and remediation steps; and   
** tested the operational effectiveness of the plans, including the accuracy and adequacy of documentation of plan testing, including timelines, results, and remediation steps; and   
* incorporated feedback from such testing exercises and other evaluations to enhance readiness and improve future performance.
** incorporated feedback from such exercises to improve future readiness.


The above-referenced June 1, 2025, date is to ensure that compliance with the September 1, 2025, requirements will be evaluated within a reasonable timeframe while allowing CA operators to incorporate mass revocation testing into their CA processes and annual audit cycles. However, the assessment does not have to be conducted as part of the CA operator’s ETSI or WebTrust audit unless the CA operator finds it more convenient to include it within that scope. The assessment may be conducted separately by a qualified third-party assessor, provided it meets the stated evaluation criteria.
The above-referenced June 1, 2025, date is to ensure that compliance with the September 1, 2025, requirements will be evaluated within a reasonable timeframe while allowing CA operators to incorporate mass revocation testing into their CA processes and annual audit cycles. However, the assessment does not have to be conducted as part of the CA operator’s ETSI or WebTrust audit unless the CA operator finds it more convenient to include it within that scope. The assessment may be conducted separately by a qualified third-party assessor, provided it meets the stated evaluation criteria.
Bwilson
Confirmed users
508

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1253552"

Navigation menu