CA/Compliance Self-Assessment: Difference between revisions

CA/Compliance Self-Assessment (view source)

Revision as of 09:31, 5 May 2017

578 bytes removed , 5 May 2017

no edit summary

Gerv

Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti

4,925

edits

@@ Line 1: / Line 1: @@
-= BR Self Assessment =
+= BR Self-Assessment =
-CAs  with root certificates that have the Websites trust bit set must perform self-assessments to ensure that their CP and CPS documents and their practices continue to comply with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements] (BRs).
+CAs with root certificates that have the websites trust bit set are required to perform self-assessments at various times to ensure that their CP and CPS documents and their practices continue to comply with the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements] (BRs). The preparation of this document reduces the load on the Mozilla administration team and makes it more likely the CA's request will be processed in a timely manner.
 == Template ==
-* [https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Template for Self-Assessment of BRs].
+* [https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Template for BR Self-Assessment].
+== BR Self-Assessment - Annual ==
-== Annual BR Self Assessment ==
 The BRs state: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."
-CAs with included root certificates that have the Websites trust bit set must do an annual self-assessment of their compliance with the BRs, and must update their CP and CPS documents at least once every year. You should indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the CP/CPS document. A template for performing BR Self-Assessments is provided at the link above.
+CAs with included root certificates that have the websites trust bit set must do an annual self-assessment of their compliance with the BRs using the above template, and must update their CP and CPS documents at least once every year. You should indicate that this has happened by incrementing the version number and adding a dated changelog entry, even if no other changes are made to the CP and CPS documents.
+== BR Self-Assessment - Root Inclusion or Update ==
-== BR Self Assessment During Root Inclusion/Update Process ==
 Mozilla's [[CA|root inclusion/update process]] has a [[CA:How_to_apply#Public_discussion|Public Discussion]] phase in which members of the community thoroughly review and discuss each CA's request.
-In the past Mozilla relied on community members to do a [[CA:Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21|side-by-side comparison]] of the CA's CP/CPS documents to the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]. This is a very time-consuming task that was made even more difficult by varying degrees in quality of CA CP/CPS documents and their adherence to the BRs, translation issues, versioning issues, difficulty finding which documents to review, etc. This caused the [[CA:Schedule#Queue_for_Public_Discussion|Public Discussion]] of root inclusion/update requests to grind to a halt.
+Mozilla requires CAs to perform a side-by-side comparison of their CP and CPS documents to the BRs using the above template, and attach their findings to their Bugzilla bug before their public discussion will be started. During the public discussion in the [https://groups.google.com/forum/#!forum/mozilla.dev.security.policy mozilla.dev.security.policy] forum, members of the community will use the CA's self-assessment document to perform their own review, confirm the accuracy of the CA's self-assessment, ask questions, raise concerns, etc.
-Therefore, Mozilla now requires CAs to perform their own side-by-side comparison of their CP/CPS documents to the BRs, and attach their findings to their Bugzilla Bug before their discussion will be started. A template for this self-assessment is provided at the link above. During the public discussion in the [https://groups.google.com/forum/#!forum/mozilla.dev.security.policy mozilla.dev.security.policy] forum, members of the community will use the CA's self-assessment document to perform their own review, confirm the accuracy of the CA's self-assessment, ask questions, raise concerns, etc.