Confirm, administrator
5,526
edits
Changes
m
== Changing a Root Certificate that is Currently Included in NSS ==
=== Security Compromise ===
=== Add a Trust Bit ===
=== Enable EV ===
=== Disable a Root ===
=== Remove a Root ===
→Changing a Root Certificate that is Currently Included in NSS
Reasons to change a root certificate that is currently included in NSS may included, but are not limited to:
* Remove a Root
When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed.
When a root certificate is included in NSS, one or more of the three trust bits (websites, email, code signing) are enabled. It is common for a CA to request inclusion with a subset of the trust bits enabled, and then later request that an additional trust bit be enabled. The following steps outline how a CA may request to enable additional trust bits for a root certificate that is included in NSS.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]].
The following steps outline the procedure for a CA to request that Extended Validation (EV) be enabled for a root certificate that is currently included in NSS.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]]
Disabling a root is the act of turning off one or more of the three trust bits (Websites, Email, Code Signing).
#* For [http://www.mozilla.org/projects/security/security-bugs-policy.html Security-sensitive] requests the security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update removing the root.
Reasons for removing a root certificate may include, but are not limited to:
