CA:RootTransferPolicy: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Eliminate page; content has moved)
 
(29 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{DRAFT}} Under discussion in mozilla.dev.security.policy
This policy is now part of the main [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla Root Store Policy] (section 8).
= Root Transfer Policy =
The purpose of this page is to document Mozilla’s expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are moved to a new location. Throughout such a change, the operation of the root certificate’s private keys and certificate issuance must continue to meet the requirements of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy].
 
== Change in Legal Ownership ==
An example of a change in legal ownership is when one company buys another. This does not necessarily imply that there will be a change in operation of the root certificate or change in location of the root certificate's private keys. The CA should let Mozilla know when there is a change of ownership and the impact to the operation of the root certificate, and must continue to publish their CP/CPS and annual audit statements according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy].
 
== Physical Relocation ==
Physical relocation of the root certificate's private key may occur when a CA:
* Moves their private keys to another location owned by the CA.
* Transfers the private keys to another CA that already has other root certificates included in Mozilla’s program.
* Transfers the private keys to another CA that does not have root certificates included in Mozilla’s program.
 
In all of these cases, the CA should take the following steps, and [https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/ immediately notify Mozilla if a problem occurs].
# Make sure the annual audit statements are current, and [mailto:certificates@mozilla.org notify Mozilla of the pending change].
# Create a transfer plan (and legal agreement if more than one CA is involved) and have it reviewed by the auditors.
#* For example, the transfer ceremony should have a documented ceremony witnessed by auditors and recorded (for posterity), with a physical exchange of the HSM and a physical exchange of the multi-party authorization keys.
# Stop new certificate issuance at the current site before the transfer begins.
# Have an audit performed at the current site to confirm when the root certificate is ready for transfer, and to make sure the key material is properly secured.
# At the new site perform an audit to confirm that the transfer was successful, that the private key remained secure throughout the transfer, and that the root certificate is ready to resume issuance (i.e. a PITRA; just as we expect any new root to be audited).
# Send updated CP/CPS and the PITRA statement to Mozilla.
# The regular annual audit statements are still expected to happen within a timely manner, or the root cert may be removed.
 
When the physical relocation involves moving the certificate's private key to another CA, the CA who is transferring the root certificate’s private key must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original CA will continue to be responsible for the root certificate until the transfer recipient has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement confirming successful transfer of the root.
 
The CA that received the root certificate's private key must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].
 
The agreement between the original CA and new CA must take the Websites (SSL/TLS), Email (S/MIME), and Code Signing trust bit settings into account, and the original CA must inform Mozilla if one or more of the trust bits should be turned off. Of course, to turn on a trust bit the new CA will have to go through [[CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root|Mozilla's root change process]].
 
== Personnel Changes ==
Personnel Changes may include one or more of the following.
* Operation of the PKI is transferred to a different organization that is already operating root certificates included in Mozilla’s program.
* Operation of the PKI is transferred to a different organization that does not currently operate a root certificate included in Mozilla’s program.
* The organization operating the PKI remains the same, but the organization personnel report to a new management structure.
 
If transferring the operation of the PKI to a different organization involves physically moving the root certificate's private key, then the steps outlined in the [[CA:RootTransferPolicy#Physical_Relocation | Physical Relocation]] section above must be followed.
 
In all cases, the CA who is transferring the operation of the PKI must ensure that the transfer recipient is able to fully comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy]. The original CA will continue to be responsible for the root certificate until the new organization has provided Mozilla with their Primary Point of Contact, CP/CPS documentation, and audit statement confirming successful transfer of the root.
 
The new organization operating the PKI must follow [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s CA Certificate Policy], and send Mozilla links to the [[CA:Information_checklist#Verification_Policies_and_Practices|public-facing CP/CPS documentation and annual audit statements]].

Latest revision as of 15:48, 23 June 2017

This policy is now part of the main Mozilla Root Store Policy (section 8).

Retrieved from "https://wiki.mozilla.org/index.php?title=CA:RootTransferPolicy&oldid=1174519"