Confirmed users, Administrators
5,526
edits
CA/Root Store Policy Archive: Difference between revisions
CA/Root Store Policy Archive (view source)
Revision as of 19:40, 25 February 2015
, 25 February 2015→Consider for Version 2.3
| Line 82: | Line 82: | ||
** Remove reference to SHA-512 -- {{Bug|1129083}} | ** Remove reference to SHA-512 -- {{Bug|1129083}} | ||
** Remove reference to P-512 -- {{Bug|1129077}} | ** Remove reference to P-512 -- {{Bug|1129077}} | ||
* Make it very clear that a CA with a root certificate included in Mozilla's program is ultimately responsible for every certificate issued that directly or indirectly chains up to the included certificate. If a CA's subcontractors (RAs, subCAs, ets) have their own practice documentation, it must be inclusive of the CA's practices. | |||
** The subcontractors may have their own practices '''in addition''' to the practices that the CA's CP/CPS impose on them. And the CA's CP/CPS must impose practices that are in line with Mozilla's CA Certificate Policies and CA/Browser Forums Baseline Requirements (depending on the types of certs the function '''is capable''' of issuing). | |||
** The subscontractor may have their own audit, but it is the CA's responsibility to ensure proper auditing is happening, and to publicly disclose such audits according to section 10 of Mozilla's CA Certificate Inclusion Policy. | |||
** The CA is responsible for making sure their subcontractors are acting in accordance with Mozilla's CA Certificate Policy and the BRs, including practices and audits. If it is found that a certificate has been mis-issued in the CA's hierarchy, the CA will be held accountable for the mistake, and the root certificate may be removed according to Mozilla's CA Certificate Enforcement Policy. | |||
* Add requirement for CAs to send Mozilla revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates> | * Add requirement for CAs to send Mozilla revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates> | ||
** [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|When to notify Mozilla]] | ** [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|When to notify Mozilla]] | ||