This page is a proposal only

Current CA Dashboard: https://wiki.mozilla.org/CA/Dashboard
Current CA Bugs Dashboard: https://wiki.mozilla.org/CA/ca-bugs

Why propose change?

• Consistency -- use tags similar to what other teams use: delimit tags with [], use dashes instead of spaces, have a common prefix for related tags.
• Easier for others to understand whiteboard. i.e. "Information Incomplete" might not be accurate, the information could be complete but not fully verified.
• Easier to see which bugs don't have appropriate whiteboard flags, and triage them.
• Need to get better at triaging and tracking CA Program bugs that are not root inclusion/change requests, such as CA Incident Response bugs.
• With other root store operators (e.g. Microsoft) also using Bugzilla for things like audit statements (see below), I will need to make sure the bugs get properly handled.

Bug Triage in Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.

The Bugzilla product/component for the CA Certificate Program is mozilla.org :: CA Certificates.
Note: When doing CA Program Bug triage, check NSS :: CA Certificates for bugs that should have been filed in mozilla.org :: CA Certificates.

The CA Certificate Program deviates from Mozilla's standardized Bugzilla Bug Triage process by not using bug priorities (P1, P2, P3, or P5), because CA Certificate bugs do not directly include code changes to Mozilla's release trains or iterations. Alternative: We could use P2 and P3 as stated in the Bug Triage wiki page. P2 = Fix in the next release or iteration, so can use this for approved inclusion/change requests. P3=Backlog/tracking, so all CA Certificate bugs in progress would be P3.

CA Certificate bugs are used to track:

• Root inclusion/change requests. When approved, the actual code changes are requested via a new Bugzilla Bug for NSS.
• EV treatment enablement requests. When approved, the actual code changes are requested via a new Bugzilla Bug for PSM.
• Concerns that are raised about certificates being issued by CAs, and the resulting action items for the CAs.
• CA Program related concerns or action items. If it is determined that a code changes is needed, then a separate Bugzilla Bug will be created to request the code change.
• CA Audit statements, when they are not published on webtrust.org, the auditor's website, or the CA's website.

CA Program Whiteboard Tags

Root Inclusion/Change requests and EV Treatment Enablement Requests

• [ca-initial] -- not enough information to begin the Information Verification phase, or not yet assigned to someone to do the Information Verification
• [ca-verifying] -- in Information Verification phase
  • Current query: Whiteboard contains Information incomplete
• [ca-ready-for-discussion yyyy-mm-dd] -- Information Verification phase complete. Ready for public discussion. In parentheses add date when Information Verification phase was completed.
  • Current query: Whiteboard contains ready for public discussion
• [ca-discussion] -- in discussion in the mozilla.dev.security.policy forum.
  • Current query: Whiteboard contains in public discussion
• [ca-discussion-hold] -- discussion on hold, pending CA actions.
  • Current query: Whiteboard contains discussion on hold
• [ca-hold] -- CA's request is on hold, typically because the CA is a super-CA, so all of their subCAs have to achieve inclusion first.
  • Current query: Whiteboard contains super CA
• [ca-pending-approval] -- final notice of intent to approve the CA's request
  • Current query: Whiteboard contains pending approval
• [ca-approved] -- request is approved, pending code changes in NSS
  • Current query: Whiteboard contains approved
• [ca-approved-ev] -- request is approved, certs are in NSS, pending code changes in PSM
  • Current query: Whiteboard contains awaiting PSM

CA Certificate Issuance Problems and Incidents

• [ca-investigation] -- Concern has been raised about certificates that a CA has issued. Investigation and/or discussion in progress.
  • Current query: Whiteboard contains Incident Reported
• [ca-incident-response] -- The concern about a CA's certificates has been confirmed, and the CA has follow-up action items
  • Current query: Whiteboard contains Incident Action Items
  • Whiteboard hasn't yet been updated for all of these types of bugs.
• [ca-compliance] -- The concern about a CA's certificates is in regards to failure to comply with Mozilla policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern.
  • Current query: Whiteboard contains BR Compliance

CA Program Process or Policy Related Bugs

• [ca-program] -- bugs related to CA Program process, wiki pages, or policy. Note that most CA Program Policy issues are tracked in github.

CA Audit Statement Bugs

• [ca-audits] -- One bug may be created per CA to store audit statements that are not published on webtrust.org, the auditor's website, or the CA's website.
  • Make sure the bug has the correct product/component for the CA Certificate Program, which is mozilla.org :: CA Certificates
  • After adding [ca-audits] to the Whiteboard, Close bug as RESOLVED | WORKSFORME, with comment "Closing this bug, but this bug may continue to be used for tracking this CA's annual audit statements."