Confirmed users, Administrators
5,526
edits
CA/Application Instructions: Difference between revisions
Added section called After Inclusion
(Added section called After Inclusion) |
|||
| Line 270: | Line 270: | ||
Recommendation: I find the "Cert Viewer Plus" Add-On useful for doing this type of testing. After you've installed this add-on, you can open the Certificate Manager from the Tools menu with one click. Also, when you browse to a website and click on the lock to view the details of the certificate chain, it displays the trust bit settings for the root. Additionally, the SHA-1 fingerprint in the Certificate Viewer can be selected and copied. | Recommendation: I find the "Cert Viewer Plus" Add-On useful for doing this type of testing. After you've installed this add-on, you can open the Certificate Manager from the Tools menu with one click. Also, when you browse to a website and click on the lock to view the details of the certificate chain, it displays the trust bit settings for the root. Additionally, the SHA-1 fingerprint in the Certificate Viewer can be selected and copied. | ||
=== After Inclusion === | |||
CAs must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla's CA Certificate Maintenance Policy] the entire time they have a root certificate included in the NSS root store. | |||
CAs are required to: | |||
* Annually provide a public-facing statement of attestation of their conformance to the stated verification requirements. ([https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ section 4]) | |||
* Notify Mozilla when its policies and business practices change in regards to verification procedures for issuing certificates, when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes. ([https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ section 5]) | |||
* Ensure that Mozilla has their current contact information. ([https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ section 6]) | |||
Additionally, CAs must maintain their data in the [[CA:SalesforceCommunity|CA Community in Salesforce]] about: | |||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | |||
* [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|Revoked intermediate certificates]]. | |||
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Mozilla's CA Certificate Enforcement Policy] outlines action that Mozilla will take when these requirements are not met by CAs with included root certificates. | |||
== Frequently Asked Questions == | == Frequently Asked Questions == | ||