CA: Difference between revisions
Jump to navigation
Jump to search
(Further link updates and rearrangement) |
|||
| Line 17: | Line 17: | ||
* [[CA/Included_Certificates|Included CA Certificates]] | * [[CA/Included_Certificates|Included CA Certificates]] | ||
* [[CA/Intermediate_Certificates|Intermediate Certificates]] | * [[CA/Intermediate_Certificates|Intermediate Certificates]] | ||
* [[CA/Removed_Certificates|Removed CA Certificates]] | * [[CA/Removed_Certificates|Removed CA Certificates]] | ||
* [[ | * [[NSS:Release_Versions|NSS Release Versions]] - shows in which version of Mozilla products each root certificate was first available | ||
== Program Administration == | == Program Administration == | ||
| Line 26: | Line 25: | ||
Most information relating to the administration of our program is stored either in [https://bugzilla.mozilla.org/ Bugzilla] or in the [[CA:CommonCADatabase|Common CA Database]]. | Most information relating to the administration of our program is stored either in [https://bugzilla.mozilla.org/ Bugzilla] or in the [[CA:CommonCADatabase|Common CA Database]]. | ||
* [[CA/Dashboard|Certificate Change Request Dashboard]] - tracks applications and trust changes through the process | * [[CA/Dashboard|Certificate Change Request Dashboard]] - tracks applications and trust changes through the process in Bugzilla | ||
* [[CA/ | * [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB | ||
* [[ | * [[CA/Incident_Dashboard|Incident and Compliance Dashboard]] | ||
* [[CA/Bug_Triage|Bugzilla Bug Triage Process]] | |||
====crt.sh==== | |||
* [https://crt.sh/mozilla-disclosures Disclosure status of all certificates known to CT] | |||
* [https://crt.sh/?cablint=issues Problematic certificates issued in the past week known to CT] | |||
== Information for CAs == | == Information for CAs == | ||
* [[CA/Application_Process|Application Process | * [[CA/Application_Process|Application Process for Mozilla's Root Program]] | ||
* [[CA:Root_Change_Process|Making Changes to Included Roots]] | * [[CA:Root_Change_Process|Making Changes to Included Roots]] | ||
* [[CA:Recommended_Practices|Recommended CA Practices]] | |||
* [[CA:Problematic_Practices|Potentially Problematic CA Practices]] | |||
* [[CA:BRs-Self-Assessment|Baseline Requirements Self Assessment]] | |||
* [[PSM:EV_Testing_Easy_Version|EV Readiness Test]] | |||
* [https://github.com/awslabs/certlint BR Lint Certificate Test] - source code download | |||
* [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download | |||
* [https://mozillacacommunity.force.com/CustomLogin CCADB Login] | |||
== Information for Auditors == | |||
* [[CA/Auditors|Information for Auditors]] | |||
* [[CA | == Information for the Public == | ||
* [[CA: | |||
* [[ | * [[CA/Terminology|Glossary of CA and Certificate Terminology]] | ||
* [[CA:UserCertDB|Changing Certificate Trust Settings in Firefox]] | |||
* [https://tls-observatory.services.mozilla.com/static/certsplainer.html Mozilla's Certificate Explainer] | |||
* [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker] | |||
* [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker] | |||
* [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance) | |||
== Discussion Forums == | == Discussion Forums == | ||
| Line 47: | Line 67: | ||
* [https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto mozilla.dev.tech.crypto]. This forum is used for discussions of the [http://www.mozilla.org/projects/security/pki/nss/ NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [http://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox. | * [https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto mozilla.dev.tech.crypto]. This forum is used for discussions of the [http://www.mozilla.org/projects/security/pki/nss/ NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [http://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox. | ||
* [https://www.mozilla.org/en-US/about/forums/#dev-security mozilla.dev.security]. This forum is used for discussions of Mozilla security issues in general. | * [https://www.mozilla.org/en-US/about/forums/#dev-security mozilla.dev.security]. This forum is used for discussions of Mozilla security issues in general. | ||
Revision as of 09:18, 5 May 2017
Mozilla's CA Certificate Program
Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.
Policy
- Root Store Policy (current stable version: 2.4.1)
- CA Communications and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
- Process for updating the Root Store Policy
- Root Store Policy Issue Tracker
- Latest draft of Root Store Policy (will become the next version)
- Root Store Policy Archive
- Root Transfer Policy: Mozilla's expectations when the ownership of an included root certificate changes, the organization operating the PKI changes, and/or the private keys of the root certificate are transferred to a new location.
Lists of Certificates
- Included CA Certificates
- Intermediate Certificates
- Removed CA Certificates
- NSS Release Versions - shows in which version of Mozilla products each root certificate was first available
Program Administration
Most information relating to the administration of our program is stored either in Bugzilla or in the Common CA Database.
- Certificate Change Request Dashboard - tracks applications and trust changes through the process in Bugzilla
- Certificate Change Requests as tracked in the CCADB
- Incident and Compliance Dashboard
- Bugzilla Bug Triage Process
crt.sh
- Disclosure status of all certificates known to CT
- Problematic certificates issued in the past week known to CT
Information for CAs
- Application Process for Mozilla's Root Program
- Making Changes to Included Roots
- Recommended CA Practices
- Potentially Problematic CA Practices
- Baseline Requirements Self Assessment
- EV Readiness Test
- BR Lint Certificate Test - source code download
- X.509 Lint Certificate Test - source code download
- CCADB Login
Information for Auditors
Information for the Public
- Glossary of CA and Certificate Terminology
- Changing Certificate Trust Settings in Firefox
- Mozilla's Certificate Explainer
- Qualys SSL Server Quality Checker
- Mozilla SSL Server Quality Checker
- Certificate Revocation Checker (also checks CRL and OCSP server quality and compliance)
Discussion Forums
The following Mozilla public forums are relevant to CA evaluation and related issues. Each forum can be accessed either as a mailing list, over the web or as a newsgroup.
- mozilla.dev.security.policy (MDSP). This forum is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.
- mozilla.dev.tech.crypto. This forum is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
- mozilla.dev.security. This forum is used for discussions of Mozilla security issues in general.