Confirmed users, Administrators
5,526
edits
CA:CertificatePolicyV2.3: Difference between revisions
Jump to navigation
Jump to search
Codify when CAs must notify Mozilla
(Change section 10 regarding how subCA disclosure happens) |
(Codify when CAs must notify Mozilla) |
||
| Line 115: | Line 115: | ||
=== Accountability === | === Accountability === | ||
* Codify requirements about when CAs must contact Mozilla about security failures. | |||
** Per [https://groups.google.com/d/msg/mozilla.dev.security.policy/0hy5rR2PX-s/2ws0XoFADwAJ discussion], Mozilla's [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Enforcement Policy] indicates what to do when a serious security concern is noticed, but does not indicate what to do when a lesser security concern is noticed. | |||
* (D5) Make it clearer that producing [https://mozillacaprogram.secure.force.com/Communications/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented syntactically valid certificates] is '''required'''. In particular, I think that Mozilla should audit a CA's recently-issued certificates and automatically reject a CA's request for inclusion or membership renewal if there are a non-trivial number of certificates that have the problems mentioned in [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Mozilla's list of Things for CAs to Fix]] | * (D5) Make it clearer that producing [https://mozillacaprogram.secure.force.com/Communications/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented syntactically valid certificates] is '''required'''. In particular, I think that Mozilla should audit a CA's recently-issued certificates and automatically reject a CA's request for inclusion or membership renewal if there are a non-trivial number of certificates that have the problems mentioned in [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Mozilla's list of Things for CAs to Fix]] | ||
* (D9) Make it very clear that a CA with a root certificate included in Mozilla's program is ultimately responsible for every certificate issued that directly or indirectly chains up to the included certificate. If a CA's subcontractors (RAs, subCAs, etc.) have their own practice documentation, it must be inclusive of the CA's practices. | * (D9) Make it very clear that a CA with a root certificate included in Mozilla's program is ultimately responsible for every certificate issued that directly or indirectly chains up to the included certificate. If a CA's subcontractors (RAs, subCAs, etc.) have their own practice documentation, it must be inclusive of the CA's practices. | ||