Confirmed users, Administrators
5,526
edits
CA/Application Process: Difference between revisions
updated links
(moved remaining content from CA:Schedule page into this page) |
(updated links) |
||
| Line 7: | Line 7: | ||
The overall steps of the CA certificate inclusion process are as follows. | The overall steps of the CA certificate inclusion process are as follows. | ||
# Carefully consider whether your CA needs to be directly included in Mozilla's root store or if it would be better for your CA to be a [[CA | # Carefully consider whether your CA needs to be [[CA/Included_Certificates|directly included in Mozilla's root store]] or if it would be better for your CA to be a [[CA/Intermediate_Certificates|subordinate CA of an already-included CA]]. | ||
#* If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative | #* If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. | ||
#* According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain why their root needs to be included in NSS and explain how the inclusion will benefit typical Mozilla users. | #* According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain why their root needs to be included in NSS and explain how the inclusion will benefit typical Mozilla users. | ||
# A representative of the CA [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request | submits a request for root inclusion.]] | # A representative of the CA [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request | submits a request for root inclusion.]] | ||
| Line 36: | Line 36: | ||
#* A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED. | #* A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED. | ||
# Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See [https://wiki.mozilla.org/RapidRelease/Calendar Mozilla's Release Calendar.] | # Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See [https://wiki.mozilla.org/RapidRelease/Calendar Mozilla's Release Calendar.] | ||
# After inclusion of the CA's root certificate, a representative of Mozilla issues a [[CA: | # After inclusion of the CA's root certificate, a representative of Mozilla issues a [[CA:CommonCADatabase|Common CA Database (CCADB)]] license to the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for the CA. | ||
# The CA [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|enters data into the | # The CA [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|enters data into the CCADB]] for: | ||
#* All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s | #* All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s Root Store that are not technically constrained as described in section 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. | ||
#* [[CA: | #* [[CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_the_CCADB|Revoked intermediate certificates]] that chain to their certificate(s) included in Mozilla's Root Store. | ||
== Ways You Can Help == | == Ways You Can Help == | ||