Confirmed users
518
edits
CA/Certificate Change Process: Difference between revisions
CA/Certificate Change Process (view source)
Revision as of 17:22, 13 November 2023
, 13 November 2023→Remove or Disable a Root: Updated with information about security incident reporting
(→Remove or Disable a Root: Updated security bug link) |
(→Remove or Disable a Root: Updated with information about security incident reporting) |
||
| Line 58: | Line 58: | ||
Reasons for removing or disabling a root certificate may include: | Reasons for removing or disabling a root certificate may include: | ||
* Security Compromise | * [https://wiki.mozilla.org/CA/Vulnerability_Disclosure Security Compromise] | ||
* Expired or Expiring CA | * Expired or Expiring CA | ||
* Small modulus key length | * Small modulus key length | ||
| Line 68: | Line 68: | ||
'''Important:''' Root changes that are motivated by a serious security concern such as a root compromise should be treated as a security-sensitive bug, and a [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Security%20Vulnerability&groups=ca-program-security secure bug filed in Bugzilla]. | '''Important:''' Root changes that are motivated by a serious security concern such as a root compromise should be treated as a security-sensitive bug, and a [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Security%20Vulnerability&groups=ca-program-security secure bug filed in Bugzilla]. | ||
Otherwise, the ordinary or usual process for removing or disabling a root in NSS is as follows: | |||
# Initiate the request: | # Initiate the request: | ||
#* [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Remove%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 File a bug in Bugzilla] with the following information: | #* [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Remove%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 File a bug in Bugzilla] with the following information: | ||
| Line 87: | Line 87: | ||
#* The bug may be marked as security-sensitive. Security-sensitive bugs can be viewed only by a select set of Bugzilla users, not by the general public. | #* The bug may be marked as security-sensitive. Security-sensitive bugs can be viewed only by a select set of Bugzilla users, not by the general public. | ||
#** The security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update changing the trust bits of the root. | #** The security module owner works with the bug reporter and others to determine when the bug should be opened to public view. For example, this might be done after release of a security update changing the trust bits of the root. | ||
#* In most situations an authoritative representative of the CA must request or approve the change. Mozilla reserves the right to approve the change without the consent of the CA. | #* In most situations, an authoritative representative of the CA must request or approve the change. Mozilla reserves the right to approve the change without the consent of the CA. | ||
# The bug will be assigned to the Mozilla representative who is appointed to evaluate the request. This will usually be the [[Modules/Activities#CA_Certificates|CA Certificates Module Owner]]. | # The bug will be assigned to the Mozilla representative who is appointed to evaluate the request. This will usually be the [[Modules/Activities#CA_Certificates|CA Certificates Module Owner]]. | ||
# The Mozilla representative will ensure the necessary information has been provided. | # The Mozilla representative will ensure the necessary information has been provided. | ||
| Line 99: | Line 99: | ||
#** Two Mozilla staff members, if the CA is not in agreement. | #** Two Mozilla staff members, if the CA is not in agreement. | ||
# The Mozilla representative will deliver any preliminary decisions | # The Mozilla representative will deliver any preliminary decisions | ||
#* It may be necessary to treat the bug as a sensitive security issue and follow the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] | #* It may be necessary to treat the bug as a sensitive security issue and follow the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] or the '''[https://wiki.mozilla.org/CA/Vulnerability_Disclosure root program's security incident reporting process]'''. | ||
# Implementation | # Implementation | ||
#* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request. | #* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request. | ||