Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
Added text about how Mozilla responds if a CA does not take responsibility for their actions or lies
m (→Concerns) |
(Added text about how Mozilla responds if a CA does not take responsibility for their actions or lies) |
||
| Line 49: | Line 49: | ||
= Potential Problems, Prevention, Response= | = Potential Problems, Prevention, Response= | ||
The following is an enumeration of some of the different kinds of problems that may occur, and what our prevention or immediate response to those problems should be. This is not about meting out punishment, and is not intended to be punitive. Rather, when there is evidence of one of the problems below with a certificate chaining up to a CA in Mozilla's CA Certificate program, we need to take the necessary steps to keep users safe. | While CA incidents have differing levels of seriousness, there are some components which every CA should be able to avoid which are red flags for Mozilla in terms of a continued trust relationship, and which would lead to an investigation. They are: | ||
* Deliberate violation of Mozilla or other applicable policy | |||
* Lying or deception | |||
Mozilla will also assess how concerned we are about an issue in part based on how the CA reacts to that issue, and previous ones. In incident response, Mozilla is looking for the following factors: | |||
* A CA takes responsibility for their own actions. | |||
* Incidents are taken with an appropriate level of seriousness. | |||
* Incidents are handled with haste. | |||
* Root cause analysis is performed. | |||
* Any questions posed, by anyone, are answered quickly and in detail. | |||
* A reasonably-detailed report is made public on what happened, why, and how things have changed to make sure it won’t happen again. | |||
The following is an enumeration of some of the different kinds of problems that may occur, and what our prevention or immediate response to those problems should be, as long as the CA is demonstrating responsibility and integrity as described above. This is not about meting out punishment, and is not intended to be punitive. Rather, when there is evidence of one of the problems below with a certificate chaining up to a CA in Mozilla's CA Certificate program, we need to take the necessary steps to keep users safe. | |||
[http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html Mozilla's Enforcement Policy] describes the steps that Mozilla takes to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | [http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html Mozilla's Enforcement Policy] describes the steps that Mozilla takes to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | ||