CA: Difference between revisions
Jump to navigation
Jump to search
(Tidy up Discussion Forums section) |
(General cleanup) |
||
| Line 1: | Line 1: | ||
== Mozilla's CA Certificate Program == | == Mozilla's CA Certificate Program == | ||
Mozilla’s CA Certificate Program governs inclusion of root certificates in [https://developer.mozilla.org/en-US/docs/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of | Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. | ||
== Policy == | == Policy == | ||
* [http://www.mozilla.org/projects/security/certs/policy/ | * [http://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2.4.1) | ||
** [https://github.com/mozilla/pkipolicy/issues | * [[CA:Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy. | ||
* [[CA:BaselineRequirements|Baseline Requirements Compliance]]: Mozilla's expectations regarding compliance with the CA/Browser Forum's [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements] | * [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker] | ||
* [[CA:RootTransferPolicy|Root Transfer Policy]]: Mozilla's expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are transferred to a new location | * [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version) | ||
* [[CA:CertPolicy|Older versions of the Root Store Policy]] | |||
* [[CA:BaselineRequirements|Baseline Requirements Compliance]]: Mozilla's expectations regarding compliance with the CA/Browser Forum's [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements]. | |||
* [[CA:RootTransferPolicy|Root Transfer Policy]]: Mozilla's expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are transferred to a new location. | |||
== Lists of CAs and Certificates == | == Lists of CAs and Certificates == | ||
| Line 25: | Line 18: | ||
* [[CA:RemovedCAcerts|Removed CA Certificates]] | * [[CA:RemovedCAcerts|Removed CA Certificates]] | ||
* [[CA:PendingCAs|Pending CA Certificates]] or certificate trust bit/EV status changes | * [[CA:PendingCAs|Pending CA Certificates]] or certificate trust bit/EV status changes | ||
* [[CA/Dashboard|CA Request Dashboard]] - tracks applications through the process | |||
* [[ | * [[NSS:Release_Versions | NSS:Release_Versions]] shows which product versions a particular root inclusion request was first available in | ||
* [[CA: | * [[CA:SubordinateCAcerts|Public Intermediate Certificates]] | ||
* [[CA:RevokedSubCAcerts|Revoked Intermediate Certificates]] | |||
* [[CA: | |||
== Common CA Database (aka CA Community in Salesforce) == | == Common CA Database (aka CA Community in Salesforce) == | ||
| Line 52: | Line 39: | ||
* CA Mis-Issuance Bugs: https://wiki.mozilla.org/CA/ca-bugs | * CA Mis-Issuance Bugs: https://wiki.mozilla.org/CA/ca-bugs | ||
* Whiteboard tags used in the CA Program https://wiki.mozilla.org/CA_Bug_Triage | * Whiteboard tags used in the CA Program https://wiki.mozilla.org/CA_Bug_Triage | ||
== Override Default Root Certificate Settings == | |||
Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate. | |||
* [[CA:UserCertDB|User Root Certificate Settings]] -- How to override the default root settings in Mozilla products. | |||
== How to Apply for Root Inclusion or Changes == | == How to Apply for Root Inclusion or Changes == | ||
Revision as of 11:51, 2 May 2017
Mozilla's CA Certificate Program
Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.
Policy
- Root Store Policy (current stable version: 2.4.1)
- CA Communications and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
- Root Store Policy Issue Tracker
- Latest draft of Root Store Policy (will become the next version)
- Older versions of the Root Store Policy
- Baseline Requirements Compliance: Mozilla's expectations regarding compliance with the CA/Browser Forum's Baseline Requirements.
- Root Transfer Policy: Mozilla's expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are transferred to a new location.
Lists of CAs and Certificates
- Included CA Certificates
- Removed CA Certificates
- Pending CA Certificates or certificate trust bit/EV status changes
- CA Request Dashboard - tracks applications through the process
- NSS:Release_Versions shows which product versions a particular root inclusion request was first available in
- Public Intermediate Certificates
- Revoked Intermediate Certificates
Common CA Database (aka CA Community in Salesforce)
Mozilla's CA Program uses the Common CA Database, also known as the CA Community in Salesforce, which is a highly customized CRM used for managing CA Program data. The Common CA Database enables CAs to directly provide the data for all of the publicly disclosed and audited subordinate CAs chaining up to root certificates in Mozilla's program, and to also directly provide data about their revoked intermediate certificates. A Primary Point of Contact for each included CA will be given a CA Communitylicense, so that each of the CAs in Mozilla's program can input, access, and update their intermediate certificate data directly in the Common CA Database.
- CA Members of the Common CA Database
- A CA Member is any CA participating in the Common CA Database via Community licenses, subject to Mozilla policies. CA Members have restricted access to certain parts of the data in the Common CA Database. They can only modify the data regarding intermediate certificates chaining up to their own root certificates. They have read-only access to root certificate data, and they do not have access to Cases regarding root inclusion/change requests.
- Root Store Members of the Common CA Database
- A Root Store Member is any root store operator participating in the Common CA Database who has signed Mozilla's Common CA Database Agreement.
- Note: "Common CA Database" is the new name for "CA Community in Salesforce".
Maintenance and Enforcement
- Maintaining Confidence in Root Certificates -- includes potential problems, prevention, and response.
- CA Mis-Issuance Bugs: https://wiki.mozilla.org/CA/ca-bugs
- Whiteboard tags used in the CA Program https://wiki.mozilla.org/CA_Bug_Triage
Override Default Root Certificate Settings
Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate.
- User Root Certificate Settings -- How to override the default root settings in Mozilla products.
How to Apply for Root Inclusion or Changes
- Process Overview
- How to Apply -- A guide for CAs wishing to include their certificate in Mozilla's Root CA store, and also a guide for CAs wishing to add trust bits or enable EV for a certificate that is already included in Mozilla's Root CA store.
- Root Change Process -- How to request a change to a root certificate that is currently included in NSS. This includes the process for disabling or removing a root certificate from NSS.
- Checklist of CA information required to process a CA's application
- Recommended practices for CAs wishing to have their root CA certificates included in Mozilla products
- Potentially problematic CA practices. This discusses CA practices that are not explicitly forbidden by the Mozilla CA policy, and do not necessarily pose security issues, but that some people have expressed concerns about and that may cause delays in evaluating and approving CA applications. Some of these practices may be addressed in future versions of the Mozilla CA policy.
- Queue for Public Discussion of CA evaluations
- Technical recommendations for root certificates. This is a very first-cut attempt to outline what root certificates should contain, based on the relevant RFCs as supplemented by existing practices.
- Checklist for Subordinate CAs and CSPs Information needed when subordinate CAs are operated by third parties.
- EV Testing in Firefox: Explains how you can test that your CA certificate (that you want to enable for EV) and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software).
- EV certificates and revocation checking. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates.
- Terminology
- Glossary of CA- and Mozilla-related terms. Useful for following Mozilla CA-related discussions.
- High Level Terminology
- Certificate download specification. This document describes the data formats used by Mozilla products for installing certificates.
Discussion Forums
The following Mozilla public forums are relevant to CA evaluation and related issues. Each forum can be accessed either as a mailing list, over the web or as a newsgroup.
- mozilla.dev.security.policy (MDSP). This forum is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.
- mozilla.dev.tech.crypto. This forum is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
- mozilla.dev.security. This forum is used for discussions of Mozilla security issues in general.
Work in Progress
- CA Self-Assessment of BRs
- Phasing out SHA-1 Certificates
- Plan for Improving Revocation Checking in Firefox
- SSL Burn Down List -- Collecting/prioritizing NSS and PSM work.
- OCSP Hard Fail -- What needs to be done before we can set OCSP to hard fail by default?
- Sandbox for identifying and resolving issues with the CA Inclusion Process