CA Program Bugzilla Dashboards

• CA Inclusion/Update Requests: https://wiki.mozilla.org/CA/Dashboard
• CA Mis-Issuance Bugs: https://wiki.mozilla.org/CA/ca-bugs

Bug Triage in Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.

The Bugzilla products/components related to the CA Certificate Program are:

• mozilla.org :: CA Certificate Mis-Issuance - Problems found in certificates issued by Certificate Authorities included in the default certificate store.
  • Concerns that are raised about certificates being issued by CAs, and the resulting action items for the CAs.
• mozilla.org :: CA Certificates - For Certificate Authorities to file requests asking for their certificates to be included in the default certificate store.
  • Root inclusion/change requests. When approved, the actual code changes are requested via a new Bugzilla Bug for NSS.
  • EV treatment enablement requests. When approved, the actual code changes are requested via a new Bugzilla Bug for PSM.
  • CA Audit statements, when they are not published on webtrust.org, the auditor's website, or the CA's website.
  • CA Program related concerns or action items.
  • Requests to add certs to OneCRL.
• NSS :: CA Certificates - For actual code changes to NSS. Kathleen should be the only person filing these bugs on behalf of the CA Program.

The CA Certificate Program deviates from Mozilla's standardized Bugzilla Bug Triage process by not using bug priorities (P1, P2, P3, or P5), because CA Certificate bugs do not directly include code changes to Mozilla's release trains or iterations.

CA Program Whiteboard Tags

CA Certificate Issuance Problems and Incidents

To report a concern about certificates being issued by a CA in Mozilla's Program:

• https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificate%20Mis-Issuance

The bug summary should begin with the CA name, so sorting the bugs by Summary will sort the bugs by CA.

Open CA Mis-Issuance bugs: https://wiki.mozilla.org/CA/ca-bugs

The whiteboard tags for mozilla.org :: CA Certificate Mis-Issuance are:

• [ca-investigation] -- Concern has been raised about certificates that a CA has issued. Investigation and/or discussion in progress.
• [ca-incident-response] -- The concern about a CA's certificates has been confirmed, and the CA has follow-up action items
• [ca-compliance] -- The concern about a CA's certificates is in regards to failure to comply with Mozilla policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern.

Root Inclusion/Change requests and EV Treatment Enablement Requests

A representative of a CA may begin the process of root inclusion, change, or ev-enablement by filing a Bugzilla Bug as described here:

• https://wiki.mozilla.org/CA:How_to_apply

The whiteboard tags for mozilla.org :: CA Certificates are:

• [ca-initial] -- not enough information to begin the Information Verification phase, or not yet assigned to someone to do the Information Verification
• [ca-verifying] -- in Information Verification phase
• [ca-ready-for-discussion yyyy-mm-dd] -- Information Verification phase complete. Ready for public discussion. In parentheses add date when Information Verification phase was completed.
• [ca-in-discussion] -- in discussion in the mozilla.dev.security.policy forum.
• [ca-discussion-hold] -- discussion on hold, pending CA actions.
  • Current query: Whiteboard contains discussion on hold
• [ca-hold] -- CA's request is on hold, typically because the CA is a super-CA, so all of their subCAs have to achieve inclusion first.
• [ca-pending-approval] -- final notice of intent to approve the CA's request
  • Current query: Whiteboard contains pending approval
• [ca-approved] -- request is approved, pending code changes in NSS, also including certs which are in NSS and pending code changes in PSM
  • Current query: Whiteboard contains approved
  • Current query: Whiteboard contains awaiting PSM

CA Audit Statement Bugs

• [ca-audits] -- One bug may be created per CA to store audit statements that are not published on webtrust.org, the auditor's website, or the CA's website.
  • Link to create ca-audit bug
  • Make sure the bug has the correct product/component for the CA Certificate Program, which is mozilla.org :: CA Certificates
  • After adding [ca-audits] to the Whiteboard, Close bug as RESOLVED | WORKSFORME, with comment "Closing this bug, but this bug may continue to be used for tracking this CA's annual audit statements."

CA Program Process or Policy Related Bugs

• [ca-program] -- bugs related to CA Program process, wiki pages, or policy. Note that most CA Program Policy issues are tracked on Github.

Certificate Revocation Related Bugs

• [ca-onecrl] -- bugs related to updating entries in OneCRL. Under normal circumstances a Bugzilla Bug is not needed for this. Rather, the CA should report the revocation via the Common CA Database.