CA/Application Process: Difference between revisions

← Older edit

CA/Application Process (view source)

Revision as of 18:02, 29 August 2024

281 bytes added , 29 August 2024

Added or moved information about the root inclusion process

Bwilson

Confirmed users

518

edits

@@ Line 6: / Line 6: @@
 CAs must carefully consider whether their root certificate needs to be [[CA/Included_Certificates|directly included in Mozilla's root store]] or if it would be better to be a [[CA/Intermediate_Certificates|subordinate CA of an already-included CA]].
-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states:  "We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products."  Including any CA carries a level of risk that is measured, in part, by the past record of the CA (or lack thereof), their responsiveness (or lack thereof), and the level of competence and precision demonstrated by the CA during the inclusion process. In some cases, a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. It is the applicant's responsibility to justify why their root certificate needs to be included in Mozilla's root store and explain why the inclusion will not introduce undue risk for Mozilla users. See the Mozilla wiki page [[CA/Quantifying_Value|"Quantifying Value: Information Expected of New Applicants"]].
+[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states:  "We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products."  Including any CA carries a level of risk that is measured, in part, by the past record of the CA operator (or lack thereof), their responsiveness (or lack thereof), and the level of competence and precision demonstrated by the CA operator during the inclusion process. In some cases, a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA that is already [[CA/Included_Certificates|included in Mozilla's root store]].
-Having a root certificate you control included in Mozilla's root store is a major ongoing responsibility; it is '''not''' a one-time effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any website and/or email address. There will be associated costs in maintaining the required security infrastructure, keeping up-to-date with evolving technical and procedural requirements, and conducting audits on an annual basis. After a CA has a certificate included in Mozilla's root store, it is expected that the CA will continue to be aware of ongoing discussions in [https://groups.google.com/a/mozilla.org/g/dev-security-policy the Mozilla dev-security-policy list] and [https://groups.google.com/a/ccadb.org/g/public the CCADB discussion group] and updates to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. The CA is required to send regular updates to Mozilla via the [https://ccadb.org/ Common CA Database (CCADB)], including annual updates to their policy and audit documentation.
+It is the responsibility of new applicants to justify why their root certificate needs to be included in Mozilla's root store and to explain why the inclusion will not introduce undue risk for Mozilla users. See the Mozilla wiki page [[CA/Quantifying_Value|"Quantifying Value: Information Expected of New Applicants"]].
+Having a root certificate you control included in Mozilla's root store is a major ongoing responsibility; it is '''not''' a one-time effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any website and/or email address. There will be associated costs in maintaining the required security infrastructure, keeping up-to-date with evolving technical and procedural requirements, and conducting audits on an annual basis. After a CA operator has a CA certificate included in Mozilla's root store, it is expected that the CA operator will continue to be aware of ongoing discussions in [https://groups.google.com/a/mozilla.org/g/dev-security-policy the Mozilla dev-security-policy list] and [https://groups.google.com/a/ccadb.org/g/public the CCADB discussion group] and updates to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. The CA is required to submit regular program updates to Mozilla via the [https://ccadb.org/ Common CA Database (CCADB)], including annual updates to their policy and audit documentation.
 = Process Overview =
@@ Line 17: / Line 19: @@
 * Turn on additional trust bits for an already-included root certificate
-Approval of one root certificate does '''not''' imply that other root certificates owned by the same CA would be accepted.
+Approval of one root certificate does '''not''' imply that other root certificates owned by the same CA operator would be accepted.
 It typically takes up to '''two years''' for a new CA to make it from one end of the process to the other. If the CA does not provide requested information in a timely manner, then the application can take even longer, or may be cancelled.
@@ Line 31: / Line 33: @@
 #** All information provided by the CA must be publicly available.
 #** If the CA contracts to another organization to help with the root inclusion request, the representative of the CA must clarify that relationship in their request, and must provide clear information about who the ongoing [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|points-of-contact]] will be for the CA.
-# A representative of Mozilla or another Root Store Member of the CCADB [[CA/Application_Verification#Information_Verification|confirms all information was provided by the CA]]. '''NEW:''' Refer to [https://www.ccadb.org/cas/public-group#root-inclusion-public-discussion "Prerequisites" to public discussion], which is conducted on the [https://groups.google.com/a/ccadb.org/g/public CCADB discussion list!]
+#** New Applicants must submit a [[CA/Quantifying_Value|Value Justification]].
+#** All Applicants must have a [https://www.ccadb.org/cas/self-assessment CCADB Self Assessment] that is not older than 365 days.
+# A representative of Mozilla or another Root Store Member of the CCADB [[CA/Application_Verification#Information_Verification|confirms all information was provided by the CA]].
+#* Refer to [https://www.ccadb.org/cas/public-group#root-inclusion-public-discussion "Prerequisites" to public discussion], which is conducted on the [https://groups.google.com/a/ccadb.org/g/public CCADB Public discussion list].
 # [[CA/Application_Verification#Public_discussion|Public discussion]] for a six-week period begins on the [https://groups.google.com/a/ccadb.org/g/public CCADB discussion list]. If no concerns are raised during that time period, then the discussion may close and the request may proceed to the "last call" and approval phases.
 # During the public-discussion phase, a representative of Mozilla, another Root Store Member of the CCADB, or the Community (as agreed by a Mozilla representative) may perform a [[CA/Application_Verification#Detailed_Review|detailed review of the CA’s CP/CPS and audit documents]]. During this phase, the CA may be required to update their CP/CPS and audit documents to become fully aligned with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy].