Confirmed users
508
edits
CA/External Sub CAs: Difference between revisions
Added references to CCADB Public list
m (→Bugzilla Bug: Updated Bug-filing details) |
(Added references to CCADB Public list) |
||
| Line 11: | Line 11: | ||
The root CA operator MUST complete the following process and receive written approval from Mozilla before a non-technically-constrained (according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates MRSP section 5.3]) externally-operated subordinate CA begins issuing certificates under the conditions stated in section 8.4 of [https://www.mozilla.org/projects/security/certs/policy/ MRSP]. | The root CA operator MUST complete the following process and receive written approval from Mozilla before a non-technically-constrained (according to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates MRSP section 5.3]) externally-operated subordinate CA begins issuing certificates under the conditions stated in section 8.4 of [https://www.mozilla.org/projects/security/certs/policy/ MRSP]. | ||
This approval process is essentially the same approval [[CA/Application_Process#Process_Overview|process used for root inclusion requests]], with the main difference being that the root CA operator collects the information from the potential subordinate CA operator, creates a corresponding Bugzilla Bug, and provides the results of their own detailed review. Then a Mozilla representative or a CA Community representative (as agreed by the Mozilla representative) will perform an additional detailed review of the subordinate CA’s CP/CPS and audit documents and provide their findings in the Bugzilla Bug. Then a representative of Mozilla starts a discussion in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] as described in the [[CA/External_Sub_CAs#Public_Discussion|Public Discussion]] section below. | This approval process is essentially the same approval [[CA/Application_Process#Process_Overview|process used for root inclusion requests]], with the main difference being that the root CA operator collects the information from the potential subordinate CA operator, creates a corresponding Bugzilla Bug, and provides the results of their own detailed review. Then a Mozilla representative or a CA Community representative (as agreed by the Mozilla representative) will perform an additional detailed review of the subordinate CA’s CP/CPS and audit documents and provide their findings in the Bugzilla Bug. Then a representative of Mozilla starts a three-week discussion in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] or in the [https://groups.google.com/a/ccadb.org/g/public CCADB Public list] as described in the [[CA/External_Sub_CAs#Public_Discussion|Public Discussion]] section below. | ||
Approval of one type of certificate issuance (e.g. email) for a subordinate CA operator does '''not''' imply that another type of certificate issuance (e.g. TLS) would be approved for the same CA operator. | Approval of one type of certificate issuance (e.g. email) for a subordinate CA operator does '''not''' imply that another type of certificate issuance (e.g. TLS) would be approved for the same CA operator. | ||
| Line 31: | Line 31: | ||
|| 3 | || 3 | ||
|- | |- | ||
| Start a [[CA/External_Sub_CAs#Public_Discussion|public discussion]] in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] summarizing the request and providing links to documentation and evaluations. || '''Representative of Mozilla''' || 4 | | Start a [[CA/External_Sub_CAs#Public_Discussion|public discussion]] in [https://groups.google.com/a/mozilla.org/g/dev-security-policy MDSP] or [https://groups.google.com/a/ccadb.org/g/public CCADB Public] summarizing the request and providing links to documentation and evaluations. || '''Representative of Mozilla''' || 4 | ||
|- | |- | ||
| Discussion proceeds and the root CA Operator or the potential subordinate CA operator responds to questions and concerns || Root CA Operator or potential subordinate CA operator || 5, 6, 7, 8 | | Discussion proceeds and the root CA Operator or the potential subordinate CA operator responds to questions and concerns || Root CA Operator or potential subordinate CA operator || 5, 6, 7, 8 | ||