CA:Root Removal Policy Notes

Mozilla CA Root Removal Policy Notes

The purpose of this wiki page is to gather input on creating a policy for removing CA root certificates from NSS. This page is open to everyone, so please add your input/comments directly. Adding content is greatly appreciated, but please don’t delete anything, but rather add a comment if you think something should be removed.

Summary and Policy Rational

CA root certificates may need to be removed from NSS for one or more of the following reasons:

• Security Compromise
• Expired or Expiring CA
• Small modulus key length, NIST recommend that 1024 bit roots be phased out by the end of 2010
• Outdated signing key algorithm, such and MD2 and MD5
• Transition/Rollover to new root completed
• Legacy, no longer in use
• The CA has requested (via a bug report) a site certificate to be removed

Goals of Policy/Process:

• To have a completely open and public process, with public posting of all policy drafts and public discussion of what should go into the policy.
• To make explicit all the underlying rationales for why the policy is the way it is, including referencing available third-party documents that support particular policy decisions.
• To make an effort to get input from people who don't normally participate in mozilla.dev.security.policy discussions, including the development teams for Firefox, Thunderbird, SeaMonkey, Camino, and other Mozilla-based products, as well as representatives of CAs.
• To create a policy that is clear and understandable, is the product of a transparent public process, can be justified as reasonable given the current state of knowledge in the crypto/PKI/CA world, and is compatible with the general way we operate in the Mozilla project.

Comments:

• It doesn't hurt anything to leave roots in NSS past their expiration date,and it is occasionally useful for validating signatures on old emails, etc. For a CA whose ONLY purpose is to issue SSL server certs, which have no long term use after they expire, I see no reason to keep them after they expire. But email and code signing certs are different, because they validate signatures on long lived things (emails, code files) long after.
• I also think that we should not remove a cert before its expiration unless the CA has utterly repudiated that cert (e.g. declared a compromise).
• What’s the best way to get input from people who don’t normally participate in mozilla.dev.security.policy discussions?
• A root certificate cannot be added to NSS without a request from the CA. A request from the CA to remove a root certificate should be treated as if the original request to add it was then withdrawn. The CA should not be required to express a reason for the request to remove the certificate. The CA might have a reason that precludes actually revoking the certifcate. However, legacy uses of mail and code-signing certificates can indeed create a need for a certificate to remain in use despite the CA's request. Thus, the CA's request should prevail only for site certificates; for mail and code-signing certificates, the action should be to remove the trust bit for sites instead of removing the certificate itself.

Suggestions about what the policy should include

Information that the policy should include:

• Which root certificates should be removed, and when:
  • NIST recommend that 1024 bit roots be phased out by the end of 2010
  • Other?

• Reasons a root certificate may be removed:
  • Security Compromise
  • Expired or Expiring CA
  • Small modulus key length (1024 or smaller)
  • Outdated signing key algorithm, such as MD2 or MD5
  • Transition/Rollover to new root completed
  • Legacy, no longer in use

• Actions that the CA is required to perform before a root certificate may be removed.
  • provide ?
  • publicly disclose information about ?
  • prior to removing the CA certificates, verify ?

• Required notifications when a root certificate is to be removed, for example
  • For security compromise or legacy reasons, the CA should be notified.
  • Other?

Comments:

Suggestions about the Policy Language

Using much of the text from the Mozilla CA Policy, I have created the shell for the Removal Policy:

http://www.mozilla.org/projects/security/certs/removal-policy/

Please add your comments/recommendations about the text in the removal-policy here.

Comments:

• In the case of security compromise or legacy roots, we probably don’t want to depend on the CA filing a bug to request removal. On the other hand, I’m sure a CA would not want some random person to be able to file a root certificate removal request on their behalf. Should it be limited to an official representative of either the CA or Mozilla?

Suggestions about the Process

High level process for removal of a root certificate:

1. CA or Mozilla representative files bug
2. Mozilla representative ensures necessary information provided
3. Public discussion on mozilla.dev.security.policy
4. Approval (or not)
5. Assignment of bug to appropriate person for actual changes to NSS
6. Test
7. Notification

Comments:

• Should the root cert actually be removed from NSS? Or is there a another alternative that would enable an appropriate error message to be returned when an attempt is made to use a “removed” root cert?
• Mozilla should have a rapid response plan for removing a compromised root, and corresponding procedures to test the removal.
• When a CA requests a root certificate to be removed (a site certificate), should the removal be delayed by this process? The only process that should be required is to authenticate the source of the request.