CA: Difference between revisions
Jump to navigation
Jump to search
m (Change all occurrences of http to https) |
m (Fixed broken links to NSS info) |
||
| Line 2: | Line 2: | ||
= Mozilla's CA Certificate Program = | = Mozilla's CA Certificate Program = | ||
Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the [[Modules/Activities#CA_Certificates|CA Certificates Module]]; the policy itself is overseen by the module owner and peers of the [[Modules/Activities#Mozilla_CA_Certificate_Policy|CA Certificate Policy Module]]. | Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the [[Modules/Activities#CA_Certificates|CA Certificates Module]]; the policy itself is overseen by the module owner and peers of the [[Modules/Activities#Mozilla_CA_Certificate_Policy|CA Certificate Policy Module]]. | ||
== Policy == | == Policy == | ||
| Line 84: | Line 84: | ||
The following Mozilla public forums are relevant to CA evaluation and related issues. | The following Mozilla public forums are relevant to CA evaluation and related issues. | ||
* [https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page. | * [https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page. | ||
* [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https:// | * [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [https://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox. | ||
* For other discussions of Mozilla security issues: | * For other discussions of Mozilla security issues: | ||
** [https://discourse.mozilla.org/c/security/ Mozilla's Security Web forum] is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet. | ** [https://discourse.mozilla.org/c/security/ Mozilla's Security Web forum] is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet. | ||
** [https://discourse.mozilla.org/tags/c/firefox-development/privacy-and-security Mozilla's privacy-and-security forum] is a place to discuss issues and questions specific to privacy and security. | ** [https://discourse.mozilla.org/tags/c/firefox-development/privacy-and-security Mozilla's privacy-and-security forum] is a place to discuss issues and questions specific to privacy and security. | ||
** [https://chat.mozilla.org/#/room/#security:mozilla.org chat on Matrix] may also be used | ** [https://chat.mozilla.org/#/room/#security:mozilla.org chat on Matrix] may also be used | ||
Revision as of 16:31, 6 April 2021
Mozilla's CA Certificate Program
Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the CA Certificates Module; the policy itself is overseen by the module owner and peers of the CA Certificate Policy Module.
Policy
- Root Store Policy (current stable version: 2.7)
- CA Communications and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
- Root Store Policy Archive
- Process for updating the Root Store Policy
- Root Store Policy Issue Tracker
- Latest draft of Root Store Policy (will become the next version)
Lists of CAs and Certificates
- Data Usage Terms
- Included CAs (in the Root Program and in Firefox)
- Included CA Certificates
- Intermediate Certificates
- Removed CA Certificates
- NSS Release Versions - shows in which version of Mozilla products each root certificate was first available
- Additional Trust Policies - describes trust policies enforced by PSM in Firefox and Thunderbird, but not represented in the NSS root store.
Program Administration
Most information relating to the administration of our program is stored either in Bugzilla or in the Common CA Database.
- Certificate Change Request Dashboard - tracks applications and trust changes through the process in Bugzilla
- Certificate Change Requests as tracked in the CCADB
- Incident and Compliance Dashboard
- Bugzilla Bug Triage Process
- Email Templates used by CCADB
crt.sh
- Disclosure status of all certificates known to CT
- Problematic certificates issued in the past week known to CT
Information for CAs
- CCADB Login
- Audit_Statements
- Responding to an Incident (such as a misissuance)
- Application Process for Mozilla's Root Program
- Change or Remove an Included Root Certificate
- Required or Recommended CA Practices
- Forbidden or Problematic CA Practices
- Maintenance and Enforcement
- How Firefox Performs Certificate Verification and path construction
- How Firefox Processes EV Certificates
- EV Readiness Test
- BR Lint Certificate Test - source code download
- X.509 Lint Certificate Test - source code download
- Common Test Errors
Information for Auditors
- Auditor Qualifications
- Auditor Compliance Dashboard
- Guidance on doing Baseline Requirements audits
- Mistakes we have seen auditors make and their consequences
Information for the Public
- Why Does Mozilla Maintain Our Own Root Certificate Store?
- What is the Common CA Database (CCADB)?
- FAQ About Certificates and CAs
- List of CA problem reporting mechanisms (email, etc.) (use this to report a certificate problem directly to the CA)
- Report an Incident to Mozilla (be sure to click the "Security" checkbox if it is a security-sensitive incident)
- Significant upcoming CA Distrust Actions
- Glossary of CA and Certificate Terminology
- Changing Certificate Trust Settings in Firefox
- Mozilla's Certificate Explainer
- Qualys SSL Server Quality Checker
- Mozilla SSL Server Quality Checker
- How Firefox performs revocation checking
- Certificate Revocation Checker (also checks CRL and OCSP server quality and compliance)
- List of CAA Identifiers (used to restrict issuance of certificates to specific CAs via a DNS Certification Authority Authorization Resource Record)
- How to install your own root certificate in Firefox
Discussion Forums
The following Mozilla public forums are relevant to CA evaluation and related issues.
- Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.
- Mozilla's dev-tech-crypto mailing list is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
- For other discussions of Mozilla security issues:
- Mozilla's Security Web forum is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet.
- Mozilla's privacy-and-security forum is a place to discuss issues and questions specific to privacy and security.
- chat on Matrix may also be used