MozillaWiki

CA/Audit Statements: Difference between revisions

Page Discussion

CA/Audit Statements (view source)

Revision as of 19:32, 29 November 2021

554 bytes added ,  29 November 2021
Added info about the 'EV SSL Audit ALV Found Cert' field and results
m (→‎WebTrust Audits: Changed "do" to "to")
(Added info about the 'EV SSL Audit ALV Found Cert' field and results)
Line 52: Line 52:


== Intermediate Certificates ==
== Intermediate Certificates ==
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates. There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 2,500 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates. There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 3,000 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.


CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, [https://www.ccadb.org/cas/intermediates directly update the corresponding record in the CCADB] then click on the "Audit Letter Validation [ALV]" button. Whenever the audit statements for an intermediate certificate are the same as the certificate that signed it, then check the “Audits Same as Parent” checkbox instead of providing separate audit information. When the "Audits Same as Parent" field is checked for an intermediate certificate record in the CCADB, the CCADB will look up the parent chain until audit statements are found, and then run ALV using those audit statements. When the "Audits Same as Parent" field is not checked, the CCADB will directly pass the audit statements in the intermediate certificate record into ALV.
CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, [https://www.ccadb.org/cas/intermediates directly update the corresponding record in the CCADB] then click on the "Audit Letter Validation [ALV]" button. Whenever the audit statements for an intermediate certificate are the same as the certificate that signed it, then check the “Audits Same as Parent” checkbox instead of providing separate audit information. When the "Audits Same as Parent" field is checked for an intermediate certificate record in the CCADB, the CCADB will look up the parent chain until audit statements are found, and then run ALV using those audit statements. When the "Audits Same as Parent" field is not checked, the CCADB will directly pass the audit statements in the intermediate certificate record into ALV.


The following two fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run.
The following fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run.
# Standard Audit ALV Found Cert
# Standard Audit ALV Found Cert
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the standard audit statement.
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the standard audit statement.
Line 62: Line 62:
#* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list.
#* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list.
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement.
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement.
# EV SSL Audit ALV Found Cert
#* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list, and the "EV SSL Capable" field is set to TRUE.
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the EV SSL audit statement.


Derived Trust Bits logic:  
Derived Trust Bits logic:  
Line 69: Line 72:
** If the root certificate is in both Mozilla's and Microsoft's root stores then the "Derived Trust Bits" field is set as the union of the trust bits that are enabled for the root certificate in both programs.  
** If the root certificate is in both Mozilla's and Microsoft's root stores then the "Derived Trust Bits" field is set as the union of the trust bits that are enabled for the root certificate in both programs.  


'''When ALV returns FAIL''' for either "Standard Audit ALV Found Cert" or "BR Audit ALV Found Cert" for one of your CA's intermediate certificate records in the CCADB, do the following.
EV SSL Capable logic:
* If the "Derived Trust Bits" field contains 'Server Authentication', then check to see if the root certificate that the cert chains up to has Mozilla EV Policy OID(s) or Microsoft EV Policy OID(s).
'''When ALV returns FAIL''' for "Standard Audit ALV Found Cert", "BR Audit ALV Found Cert", or "EV SSL Audit ALV Found Cert" for one of your CA's intermediate certificate records in the CCADB, do the following.
* Check the corresponding audit statement to make sure the SHA-256 fingerprint of the certificate is correctly listed.
* Check the corresponding audit statement to make sure the SHA-256 fingerprint of the certificate is correctly listed.
* If the SHA-256 fingerprint is listed in the audit statement, then make sure that it meets the [https://www.ccadb.org/policy#51-audit-statement-content format specifications], such as no colons, no spaces, no line feeds.
* If the SHA-256 fingerprint is listed in the audit statement, then make sure that it meets the [https://www.ccadb.org/policy#51-audit-statement-content format specifications], such as no colons, no spaces, no line feeds.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1239237"