CA/Application Process: Difference between revisions

The internet secure communications system requires Certification Authorities (CAs) - parties trusted to attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. The following pages explain how the default list of CA certificates is managed.

Process Overview

It can take as long as two years for a CA to make it from one end of the process to the other. If the CA does not provide requested information in a timely manner, then the application will be delayed much longer, or even cancelled.

The overall steps of the CA certificate inclusion process are as follows.

1. A representative of the CA submits a request for root inclusion.
   • If you would like to see a particular root certificate included in Mozilla products, then please contact the CA who operates that root certificate.
2. A representative of the CA provides information about the CA and operation of the root certificate(s).
3. A representative of Mozilla verifies the information provided by the CA.
4. A representative of Mozilla adds the request to the queue for public discussion.
5. Anyone interested in the CA's application participates in discussions of CA requests further up in the queue.
6. A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request.
7. A representative of Mozilla summarizes the discussion and resulting action items.
8. A representative of the CA completes action items resulting from the public discussion, which may include updating processes, documentation, and audits.
9. A representative of Mozilla confirms the completion of the action items and starts a second round of public discussion if needed.
10. A representative of Mozilla concludes the public discussion of the CA's request.
11. A representative of Mozilla summarizes the request and states the intent to approve the request for inclusion.
12. A representative of Mozilla creates a bug requesting the actual changes in NSS (and PSM for EV treatment).
    • A representative of the CA must confirm that all the data in this bug is correct.
    • A Mozilla representative creates a patch with the updated trust bit, and provides a special test version of Firefox.
    • A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate trust bits have been correctly updated.
    • The Mozilla representative requests that another Mozilla representative review the patch.
    • The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
    • At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.

Ways You Can Help

Our most pressing need is help with reviewing applications. If a CA you care about is in the queue for public discussion, diligently and quickly reviewing the applications of CAs ahead of it is the best way to move it towards inclusion.

• Queue for public discussion
• Reviewing applications and contributing to discussions

Further Reading

• General Background and FAQ on CAs and the Mozilla process
• CA Inclusion Process in detail
• Current queue of inclusion requests
• Other useful information