Confirmed users, Administrators
5,526
edits
CA/Certificate Change Process: Difference between revisions
Jump to navigation
Jump to search
m
→Changing a Root Certificate that is Currently Included in NSS
m (→Disable a Root) |
|||
| Line 1: | Line 1: | ||
= Changing a Root Certificate that is Currently Included in NSS = | |||
Reasons to change a root certificate that is currently included in NSS may included, but are not limited to: | Reasons to change a root certificate that is currently included in NSS may included, but are not limited to: | ||
| Line 9: | Line 9: | ||
* Remove a Root | * Remove a Root | ||
== Security Compromise == | |||
When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed. | When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed. | ||
== Add a Trust Bit == | |||
When a root certificate is included in NSS, one or more of the three trust bits (websites, email, code signing) are enabled. It is common for a CA to request inclusion with a subset of the trust bits enabled, and then later request that an additional trust bit be enabled. The following steps outline how a CA may request to enable additional trust bits for a root certificate that is included in NSS. | When a root certificate is included in NSS, one or more of the three trust bits (websites, email, code signing) are enabled. It is common for a CA to request inclusion with a subset of the trust bits enabled, and then later request that an additional trust bit be enabled. The following steps outline how a CA may request to enable additional trust bits for a root certificate that is included in NSS. | ||
| Line 27: | Line 27: | ||
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]]. | # The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]]. | ||
== Enable EV == | |||
The following steps outline the procedure for a CA to request that Extended Validation (EV) be enabled for a root certificate that is currently included in NSS. | The following steps outline the procedure for a CA to request that Extended Validation (EV) be enabled for a root certificate that is currently included in NSS. | ||
| Line 40: | Line 40: | ||
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]] | # The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in [[CA:How_to_apply|CA:How_to_apply]] | ||
== Disable a Root == | |||
Disabling a root is the act of turning off one or more of the three trust bits (Websites, Email, Code Signing). | Disabling a root is the act of turning off one or more of the three trust bits (Websites, Email, Code Signing). | ||
| Line 94: | Line 94: | ||
#* For [http://www.mozilla.org/projects/security/security-bugs-policy.html Security-sensitive] requests the security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update removing the root. | #* For [http://www.mozilla.org/projects/security/security-bugs-policy.html Security-sensitive] requests the security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update removing the root. | ||
== Remove a Root == | |||
Reasons for removing a root certificate may include, but are not limited to: | Reasons for removing a root certificate may include, but are not limited to: | ||