Confirmed users
377
edits
CA: Difference between revisions
m
→Program Administration: added text
(→Information for CAs: Added Zlint and updated URL for certlint) |
m (→Program Administration: added text) |
||
| (30 intermediate revisions by 2 users not shown) | |||
| Line 6: | Line 6: | ||
== Policy == | == Policy == | ||
* [https://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2. | * [https://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2.9) | ||
* [[CA/Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy. | * [[CA/Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy. | ||
* [[CA/Root_Store_Policy_Archive|Root Store Policy Archive]] | * [[CA/Root_Store_Policy_Archive|Root Store Policy Archive]] | ||
| Line 12: | Line 12: | ||
** [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker] | ** [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker] | ||
** [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version) | ** [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version) | ||
* [[CA/Transition_SMIME_BRs|Transition to S/MIME BRs]] | |||
== Lists of CAs and Certificates == | == Lists of CAs and Certificates == | ||
| Line 30: | Line 31: | ||
* [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB | * [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB | ||
* [[CA/Incident_Dashboard|Incident and Compliance Dashboard]] | * [[CA/Incident_Dashboard|Incident and Compliance Dashboard]] | ||
** [[CA/Maintenance_and_Enforcement#Issues_Lists|CA Issues Lists]] | |||
* [[CA/CCADB_Dashboard|CCADB Dashboard]] | * [[CA/CCADB_Dashboard|CCADB Dashboard]] | ||
* [[CA/Bug_Triage|Bugzilla Bug Triage Process]] | * [[CA/Bug_Triage|Bugzilla Bug Triage Process]] - also lists whiteboard tags | ||
* [[CA/Email_templates|Email Templates used by CCADB]] | * [[CA/Email_templates|Email Templates used by CCADB]] | ||
| Line 43: | Line 45: | ||
* [[CA/Audit_Statements|Audit_Statements]] | * [[CA/Audit_Statements|Audit_Statements]] | ||
* [[CA/Responding_To_An_Incident|Responding to an Incident]] (such as a misissuance) | * [[CA/Responding_To_An_Incident|Responding to an Incident]] (such as a misissuance) | ||
* [[CA/Vulnerability_Disclosure|Disclosing a Vulnerability or Security Incident]] | |||
* [[CA/Application_Process|Application Process for Mozilla's Root Program]] | * [[CA/Application_Process|Application Process for Mozilla's Root Program]] | ||
** [[CA/Quantifying_Value|Quantifying Value: Information Expected of New Applicants]] | ** [[CA/Quantifying_Value|Quantifying Value: Information Expected of New Applicants]] | ||
** [[CA/ | ** [[CA/Compliance_Self-Assessment|Compliance Self Assessment]] | ||
*** [[CA/CPS_Review|Previous reviews of CP/CPS documents]] | |||
** [[CA/Information_Checklist|CA Information Checklist]] | ** [[CA/Information_Checklist|CA Information Checklist]] | ||
** [[CA/Subordinate_CA_Checklist|Subordinate CA Information Checklist]] | ** [[CA/Subordinate_CA_Checklist|Subordinate CA Information Checklist]] | ||
* [[CA/External_Sub_CAs|Approval Process for Externally Operated Subordinate CAs]] | |||
* [[CA/Certificate_Change_Process|Change or Remove an Included Root Certificate]] | * [[CA/Certificate_Change_Process|Change or Remove an Included Root Certificate]] | ||
* [[CA/Root_CA_Lifecycles|Root CA Lifecycles]] | |||
* [[CA/Required_or_Recommended_Practices|Required or Recommended CA Practices]] | * [[CA/Required_or_Recommended_Practices|Required or Recommended CA Practices]] | ||
* [[CA/Forbidden_or_Problematic_Practices|Forbidden or Problematic CA Practices]] | * [[CA/Root_Inclusion_Considerations|Root Inclusion Considerations]] -- This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store. | ||
* [[CA/Maintenance_and_Enforcement|Maintenance and Enforcement]] | ** [[CA/Forbidden_or_Problematic_Practices|Forbidden or Problematic CA Practices]] | ||
** [[CA/Maintenance_and_Enforcement|Maintenance and Enforcement]] | |||
* [[SecurityEngineering/Certificate_Verification|How Firefox Performs Certificate Verification]] and path construction | * [[SecurityEngineering/Certificate_Verification|How Firefox Performs Certificate Verification]] and path construction | ||
* [[CA/EV_Processing_for_CAs | How Firefox Processes EV Certificates]] | * [[CA/EV_Processing_for_CAs | How Firefox Processes EV Certificates]] | ||
* Revocation | |||
** [[CA/Revocation_Checking_in_Firefox|How Firefox Performs Revocation Checking]] | |||
** [[CA/Revocation_Reasons|Revocation Reasons for TLS Server Certificates]] | |||
* [[PSM:EV_Testing_Easy_Version|EV Readiness Test]] | * [[PSM:EV_Testing_Easy_Version|EV Readiness Test]] | ||
* [https://github.com/digicert/pkilint PKI Lint Tool for TLS & S/MIME] - source code download | |||
* [https://github.com/certlint/certlint BR Lint Certificate Test] - source code download | * [https://github.com/certlint/certlint BR Lint Certificate Test] - source code download | ||
* [https://github.com/zmap/zlint Certificate Test of Mozilla's and others' requirements] - source code download | * [https://github.com/zmap/zlint ZLint - Certificate Test of Mozilla's and others' requirements] - source code download | ||
* [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download | * [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download | ||
* [[CA:TestErrors|Common Test Errors]] | * [[CA:TestErrors|Common Test Errors]] | ||
| Line 70: | Line 82: | ||
* [https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ What is the Common CA Database (CCADB)?] | * [https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ What is the Common CA Database (CCADB)?] | ||
* [[CA/FAQ|FAQ About Certificates and CAs]] | * [[CA/FAQ|FAQ About Certificates and CAs]] | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/mozilla/ProblemReportingMechanismsReport List of CA problem reporting mechanisms (email, etc.)] (use this to report a certificate problem directly to the CA) | ||
* [https://bugzilla.mozilla.org/enter_bug.cgi?product= | * [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance Report an Incident to Mozilla] (be sure to click the "Security" checkbox if it is a [https://www.mozilla.org/en-US/security/#For_Developers security-sensitive incident]) | ||
* [[CA/Terminology|Glossary of CA and Certificate Terminology]] | * [[CA/Terminology|Glossary of CA and Certificate Terminology]] | ||
* [[ | * [[CA/Changing_Trust_Settings|Changing Certificate Trust Settings in Firefox]] | ||
* [https:// | ** [[CA/Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate|Manually import a root certificate into Firefox]] | ||
* [https://certviewer-dot-ccadb-231121.appspot.com/certviewer Certificate Viewer] -- can also be installed/run locally (see [https://github.com/mozilla/CCADB-Tools/tree/master/certViewer ReadMe]) | |||
* [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker] | * [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker] | ||
* [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker] | * [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker] | ||
* [[CA/Revocation_Checking_in_Firefox|How Firefox performs revocation checking]] | * [[CA/Revocation_Checking_in_Firefox|How Firefox performs revocation checking]] | ||
* [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance) | * [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance) | ||
* [https://ccadb | * [https://ccadb.my.salesforce-sites.com/mozilla/CAAIdentifiersReport List of CAA Identifiers] (used to restrict issuance of certificates to specific CAs via a [https://tools.ietf.org/html/rfc6844 DNS Certification Authority Authorization Resource Record]) | ||
* [[CA/AddRootToFirefox|How to install your own root certificate in Firefox]] | * [[CA/AddRootToFirefox|How to install your own root certificate in Firefox]] | ||
== Discussion Forums == | == Discussion Forums == | ||
The following | The following public forums are relevant to CA evaluation and related issues. | ||
* [https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI | |||
===== CCADB ===== | |||
* '''[https://groups.google.com/a/ccadb.org/g/public CCADB Public mailing list''' is used to conduct a six-week public discussion of CA root inclusion requests and to discuss important lessons learned from CA incident reports. See https://www.ccadb.org/cas/public-group for more information. | |||
===== MDSP ===== | |||
* '''[https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list''' is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page. | |||
===== Other MDSP Mail Archives ===== | |||
* '''New MDSP Messages''' (since August 2021) | |||
(HTML): https://www.mail-archive.com/dev-security-policy@mozilla.org/ | |||
(RSS): https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml | |||
* '''Old MDSP Messages''' (until April 2021) | |||
(HTML): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/ | |||
(RSS): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/maillist.xml | |||
===== Other Forums ===== | |||
* [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [https://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox. | * [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [https://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox. | ||
* For other discussions of Mozilla security issues: | * For other discussions of Mozilla security issues: | ||