CA:CommonCADatabase:RootStoreOperators: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (Adding agreement)
(Moved content to ccadb.org)
 
Line 1: Line 1:
= Root Store Operators using Mozilla's Common CA Database =
= Root Store Operators using Mozilla's Common CA Database =
Mozilla maintains a [[CA:CommonCADatabase|Common CA Database]] for communicating with [https://en.wikipedia.org/wiki/Certificate_authority Certification Authorities (CAs)] and managing CA data.
<br />
A '''Root Store Member''' is any root store operator participating in the Common CA Database via the "Mozilla Common CA Database Agreement".
The content of this page has been moved to http://ccadb.org/
A '''CA Member''' is any CA participating in the Common CA Database via [https://www.salesforce.com/communities/features/ Community licenses], subject to Mozilla policies. [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|CA Members]] have restricted access to certain parts of the data in the Common CA Database. CAs can only modify the data regarding intermediate certificates chaining up to their own root certificates. They have read-only access to root certificate data, and they do not have access to Cases regarding root inclusion/change requests.
<br />


== Background ==
== Background ==
Manually maintaining data in spreadsheets for all of the included root certificates is time consuming and error-prone, and the data tends to get out of date. Mozilla has customized the Common CA Database to manage data about [[CA:PendingCAs|pending]] and [[CA:IncludedCAs|included]] root certificates in one place without having to use cumbersome spreadsheets. Mozilla’s Common CA Database:
<br />
* Makes the CA program more transparent, exposing the data more clearly.
The content of this section has been moved to http://ccadb.org/rootstores/why
* Automates notification to CAs when updated audit statements are due.
<br />
* Enables multiple people to share in the maintenance of the CA and subCA data (CP/CPS links, Audit links/dates/auditor qualifications, Points of Contact, etc.)
* Automates sending of communications to CAs and receiving and analyzing their responses.
* Makes it easier to review information and status associated with the CA’s root inclusion requests.
 
While maintaining good root stores is important and necessary to help keep end users safe, it is not done for profit and is not a strategic area for core business. Much of the data that the root store operators maintain for their CA programs is common and public data. Having root store operators participate in the Common CA Database will pave the way for better management of root and subordinate certificates, making the internet safer for everyone.
 
With the Common CA Database:
* CAs can apply for root inclusion once to multiple root stores (similar to [https://en.wikipedia.org/wiki/Common_Application College Common Application]), indicate which root stores they are applying for, and the Root Store Members will make independent decisions about which CA certificates to include in their root stores.
* CA Members will be able to directly provide information about their [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|non-technically-constrained intermediate certificates]], and the root store operators will be able to share in the responsibility of verifying the data, enabling them to do more with the data to ensure the safety of internet users.
** An organization with a non-technically-constrained intermediate certificate chaining up to a publicly trusted root certificate is capable of issuing [https://support.mozilla.org/ta/kb/secure-website-certificate secure website certificates] to anyone for any domain. Therefore, it is important that we ensure that all non-technically-constrained intermediate certificates chaining up to a trusted root certificate have sufficient Certificate Policy and Practice Statements, are properly operated, and are audited annually. [http://www.certificate-transparency.org/ Certificate Transparency (CT)] can tell us about the data in publicly-used intermediate certificates, but it cannot tell us about the corresponding policies, operation, and auditing.
*** There are too many such intermediate certificates for one person to directly manage, so we need CAs to manage their data directly.
*** If every CA provides their own data in their own way, we won't be able to reasonably collect, maintain, and use that data.
*** It would be burdensome to the CAs if they have to provide the data in different ways to each root store operator.
 
'''Important Note:''' Some of the capabilities listed above refer to planned work, and are not yet implemented.


== Membership ==
== Membership ==
Root Store Members will:
<br />
* Have access to Mozilla's Common CA Database.
The content of this section has been moved to http://ccadb.org/rootstores/how
* Share (via the Common CA Database) their findings in verifying data related to root and intermediate certificates; including annual audits, policy documentation, contact information, etc.
<br />
* Independently operate and make decisions on root inclusion/change requests, and verify audit data for their root stores.
* Make root-store-specific customizations to the Common CA Database (subject to  Mozilla’s approval).
* Propose and help design customizations to the Common CA Database that impact all participants (subject to Mozilla’s approval).
* Share in the cost of maintaining the Common CA Database, including, for example, costs imposed by the underlying CRM (e.g. licenses for root store members and CAs), maintenance costs, and any shared customizations to the Common CA Database.
* Publish data relating to the root certificates included in their programs.
 
Root Store Members of the Common CA Database may meet by teleconference or face-to-face meetings for the purpose of discussing improvements or changes to the operation of the Common CA Database. Such discussions should not include competitively-sensitive information. Mozilla shall not be responsible for the expenses of any such teleconferences or meetings.
 
=== Membership Requirements ===
Root Store Members shall meet all of the following minimum criteria:
* The member organization is a browser manufacturer or developer of software that includes trusted root certificates, and produces a software product intended for use by the general public.
* Applicants for membership must agree to Mozilla’s Common CA Database Agreement.
** [[File:MozillaCommonCADatabaseAgreement.pdf|Mozilla's Common CA Database Agreement]]
* Applicants must comply with terms governing the Common CA Database.
 
In addition, participation in the Common CA Database is at Mozilla’s discretion. Mozilla reserves the right not to include a particular root store operator in the Common CA Database, and not to issue a license to the Common CA Database for any or no reason, including without limitation cases where we believe that including or issuing a license to a root store operator would interfere with the operation or security of the Common CA Database, or would breach our agreements with the underlying CRM.
 
=== Membership Application ===
If you are a browser manufacturer or developer of software that includes trusted root certificates, you may wish to consider joining the CA Community as a Root Store Member. To begin the process, submit your application by sending email to certificates@mozilla.org.
Here are the points you should address in your application:
* Written confirmation that you produce a software product that includes trusted root certificates, and is intended for use by the general public.
* The organization name, as you wish it to appear in the Common CA Database and in official documents
* The URL of your main Web site
* Names and email addresses of your employees who will participate in the Common CA Database (Full names and nicknames with surnames will be helpful in future communications).
* Emergency contact information for security issues related to certificate trust lists (Email addresses, at least one telephone number, and full names and nicknames with surnames will be helpful in future communications).
* The following information for the person who has the authority to sign [[File:MozillaCommonCADatabaseAgreement.pdf|Mozilla's Common CA Database Agreement]] on behalf of your organization.
** Signatory information (name, email address, title)
** Legal entity name and address
** Names and email addresses of anyone who needs to be cc'd on the agreement.
If there are any questions about your application, we will get back to you. Otherwise, once we have received this information, Mozilla will make a determination on whether to include your organization as a Root Store Member and communicate its determination to you, along with any information about your membership and participation.


== Customizing the Common CA Database ==
== Customizing the Common CA Database ==
The customizations that Mozilla has applied to the Common CA Database are available in [https://github.com/CACommunity/Salesforce GitHub].
<br />
 
The content of this section has been moved to http://ccadb.org/rootstores/usage
A Root Store Member may make customization changes that only impact itself. Before being applied to the production instance of the Common CA Database, changes will be reviewed and tested by Mozilla (or its representative), including to ensure that the changes will not negatively impact any of the other Members or the Common CA Database. Mozilla will either approve or decline the proposed changes. If the changes are approved, then a Mozilla representative will apply the changes to the production instance of the Common CA Database. If the changes are denied, then the Mozilla representative will provide an explanation, and the Member organization may submit the customizations again after addressing the feedback.
<br />
 
Root Store Members may request customization changes that impact shared data and interfaces. Mozilla (or its representative) will review, and approve or deny such requests. If the request is approved, Mozilla will prioritize the requested changes, and work with the members to design and test the changes in a sandbox environment before applying them to the production instance of the Common CA Database.
 
== Cost ==
The cost of operating and maintaining the Common CA Database will be shared among the Root Store Members. Mozilla’s goal in sharing the Common CA Database is to improve the quality of the CA data and help keep end users safe. It is expressly not a goal of Mozilla to make money from sharing the Common CA Database.
 
We currently expect the following types of costs will be shared among Root Store Members:
* Subscription fees and other costs imposed by the underlying CRM (e.g., Community and Enterprise license costs).
* Costs of implementing shared customizations to the interface or data.
* Maintenance costs.
These categories of costs are subject to change.
 
== Data ==
Root Store Members may store the following types of data in the Common CA Database, as it pertains to the management of their root store programs.
* CA and subordinate CA certificate data
* Contact information for CA Owners (Name, Phone Number, Email Address, Physical Address, etc.)
* URLs to public-facing sites and documents
* URLs to internal-facing sites and documents (provided the URLs are not confidential)
* Root store specific status and decisions regarding root inclusion/change requests
* Dates and Comments relating to root and intermediate certificates
 
Root Store Members shall '''not''' store the following types of data in the Common CA Database.
* Confidential data
* Documents; e.g. PDF, Excel, MS Word, etc.
* Pictures; e.g. GIF, JPEG, etc.
 
Data pertaining to Mozilla’s root store is automatically published, and is available from the following sites.
* https://wiki.mozilla.org/CA:IncludedCAs
* https://wiki.mozilla.org/CA:PendingCAs
* https://wiki.mozilla.org/CA:RemovedCAcerts
* https://wiki.mozilla.org/CA:SubordinateCAcerts
* https://wiki.mozilla.org/CA:RevokedSubCAcerts
* https://wiki.mozilla.org/CA:Communications

Latest revision as of 23:07, 8 June 2017

Root Store Operators using Mozilla's Common CA Database


The content of this page has been moved to http://ccadb.org/

Background


The content of this section has been moved to http://ccadb.org/rootstores/why

Membership


The content of this section has been moved to http://ccadb.org/rootstores/how

Customizing the Common CA Database


The content of this section has been moved to http://ccadb.org/rootstores/usage

Retrieved from "https://wiki.mozilla.org/index.php?title=CA:CommonCADatabase:RootStoreOperators&oldid=1173033"