MozillaWiki

CA: Difference between revisions

Page Discussion

CA (view source)

Revision as of 16:35, 8 May 2024

2,761 bytes added ,  8 May 2024
m
→‎Program Administration: added text
m (Protected "CA:Overview" ([edit=sysop] (indefinite) [move=canmove] (indefinite)))
 
(153 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== Policy and Included CAs ==
__NOTOC__
= Mozilla's CA Certificate Program =


* [http://www.mozilla.org/projects/security/certs/policy/ Mozilla's CA Certificate Policy]
Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the [[Modules/Activities#CA_Certificates|CA Certificates Module]];  the policy itself is overseen by the module owner and peers of the [[Modules/Activities#Mozilla_CA_Certificate_Policy|CA Certificate Policy Module]].


* [[CA:UserCertDB|User Root Certificate Settings]] -- How to override the default root settings in Mozilla products.
== Policy ==


* [http://tinyurl.com/MozillaBuiltInCAs Spreadsheet of all included root certificates]
* [https://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2.9)
** [http://www.mozilla.org/projects/security/certs/included/ CAs with certificates included in the Mozilla project Root CA store after March 1st, 2007] and the information that was considered during the inclusion process.
* [[CA/Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
** [[NSS:Release_Versions | NSS:Release_Versions]] -- Mapping of Root Cert Inclusion Bugs to Mozilla Product Releases
* [[CA/Root_Store_Policy_Archive|Root Store Policy Archive]]
* [http://www.mozilla.org/projects/security/certs/pending/ Pending CA requests] --  CAs who have applied for inclusion of their certificates in the Mozilla project Root CA store, and whose applications are pending. Also CAs who have applied to add trust bits or enable EV for certificates that are already included in Mozilla's Root CA store, and their applications are pending.
* [[CA/Updating_Root_Store_Policy|Process for updating the Root Store Policy]]
** [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker]
** [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version)
* [[CA/Transition_SMIME_BRs|Transition to S/MIME BRs]]


* [[CA:Policy|Changes to Mozilla's CA Certificate Policy]] -- How to view changes to the policy, and snapshots of old versions of the policy.
== Lists of CAs and Certificates ==
* [[CA:CertPolicyUpdates|Updating Mozilla CA Certificate Policy]] -- How the policy is updated, transitioning to new versions of the policy, things to discuss in regards to updating the Mozilla CA Certificate Policy.
* [https://www.ccadb.org/rootstores/usage#ccadb-data-usage-terms Data Usage Terms]
* [[CA:MD5and1024|Dates for Phasing out MD5-based signatures and 1024-bit moduli]]
* [[CA/Included_CAs|Included CAs]] (in the Root Program and in Firefox)
* [[CA/Included_Certificates|Included CA Certificates]]
* [[CA/Intermediate_Certificates|Intermediate Certificates]]
* [[CA/Removed_Certificates|Removed CA Certificates]]
* [[NSS:Release_Versions|NSS Release Versions]] - shows in which version of Mozilla products each root certificate was first available
* [[CA/Additional_Trust_Changes| Additional Trust Policies ]] - describes trust policies enforced by PSM in Firefox and Thunderbird, but not represented in the NSS root store.


== CA Communications ==
== Program Administration ==


* [[CA:Communications | Communications sent to CAs]]
Most information relating to the administration of our program is stored either in [https://bugzilla.mozilla.org/ Bugzilla] or in the [https://ccadb.org/ Common CA Database].


== How to Apply for Root Inclusion or Changes ==
* [[CA/Dashboard|Certificate Change Request Dashboard]] - tracks applications and trust changes through the process in Bugzilla
** [[CA/Prioritization|Certificate Change Prioritization]]
* [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB
* [[CA/Incident_Dashboard|Incident and Compliance Dashboard]]
** [[CA/Maintenance_and_Enforcement#Issues_Lists|CA Issues Lists]]
* [[CA/CCADB_Dashboard|CCADB Dashboard]]
* [[CA/Bug_Triage|Bugzilla Bug Triage Process]] - also lists whiteboard tags
* [[CA/Email_templates|Email Templates used by CCADB]]


* [https://wiki.mozilla.org/CA Process Overview]
====crt.sh====
* [[CA:How_to_apply|How to Apply]] -- A guide for CAs wishing to include their certificate in Mozilla's Root CA store, and also a guide for CAs wishing to add trust bits or enable EV for a certificate that is already included in Mozilla's Root CA store.
* [[CA:Root_Change_Process|Root Change Process]] -- How to request a change to a root certificate that is currently included in NSS. This includes the process for disabling or removing a root certificate from NSS.


* [[CA:Information_checklist|Checklist of CA information]] required to process a CA's application
* [https://crt.sh/mozilla-disclosures Disclosure status of all certificates known to CT]
* [[CA:Recommended_Practices|Recommended practices for CAs]] wishing to have their root CA certificates included in Mozilla products
* [https://crt.sh/?cablint=issues Problematic certificates issued in the past week known to CT]
* [[CA:Problematic_Practices|Potentially problematic CA practices]]. This discusses CA practices that are not explicitly forbidden by the Mozilla CA policy, and do not necessarily pose security issues, but that some people have expressed concerns about and that may cause delays in evaluating and approving CA applications. Some of these practices may be addressed in future versions of the Mozilla CA policy.
* [[CA:Schedule|Queue for Public Discussion]] of CA evaluations
* [[CA:Recommendations_for_Roots|Technical recommendations for root certificates]]. This is a very first-cut attempt to outline what root certificates should contain, based on the relevant RFCs as supplemented by existing practices.
* [[CA:SubordinateCA_checklist|Checklist for Subordinate CAs and CSPs]] Information needed when subordinate CAs are operated by third parties.


* [[PSM:EV_Testing_Easy_Version | EV Testing in Firefox:]] Explains how you can test that your CA certificate (that you want to enable for EV) and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software).
== Information for CAs ==
** [[CA:EV_Revocation_Checking|EV certificates and revocation checking]]. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates.
* [https://ccadb.org/cas/ CCADB Login]
* Terminology
* [[CA/Audit_Statements|Audit_Statements]]
** [[CA:Glossary|Glossary of CA- and Mozilla-related terms]]. Useful for following Mozilla CA-related discussions.
* [[CA/Responding_To_An_Incident|Responding to an Incident]] (such as a misissuance)
** [[CA:Terminology | High Level Terminology]]
* [[CA/Vulnerability_Disclosure|Disclosing a Vulnerability or Security Incident]]
* [[CA:Certificate Download Specification|Certificate download specification]]. This document describes the data formats used by Mozilla products for installing certificates.
* [[CA/Application_Process|Application Process for Mozilla's Root Program]]
** [[CA/Quantifying_Value|Quantifying Value: Information Expected of New Applicants]]
** [[CA/Compliance_Self-Assessment|Compliance Self Assessment]]
*** [[CA/CPS_Review|Previous reviews of CP/CPS documents]]
** [[CA/Information_Checklist|CA Information Checklist]]
** [[CA/Subordinate_CA_Checklist|Subordinate CA Information Checklist]]
* [[CA/External_Sub_CAs|Approval Process for Externally Operated Subordinate CAs]]
* [[CA/Certificate_Change_Process|Change or Remove an Included Root Certificate]]
* [[CA/Root_CA_Lifecycles|Root CA Lifecycles]]
* [[CA/Required_or_Recommended_Practices|Required or Recommended CA Practices]]
* [[CA/Root_Inclusion_Considerations|Root Inclusion Considerations]] -- This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.  
** [[CA/Forbidden_or_Problematic_Practices|Forbidden or Problematic CA Practices]]
** [[CA/Maintenance_and_Enforcement|Maintenance and Enforcement]]
* [[SecurityEngineering/Certificate_Verification|How Firefox Performs Certificate Verification]] and path construction
* [[CA/EV_Processing_for_CAs | How Firefox Processes EV Certificates]]
* Revocation
** [[CA/Revocation_Checking_in_Firefox|How Firefox Performs Revocation Checking]]
** [[CA/Revocation_Reasons|Revocation Reasons for TLS Server Certificates]]
* [[PSM:EV_Testing_Easy_Version|EV Readiness Test]]


== Discussion forums ==
* [https://github.com/digicert/pkilint PKI Lint Tool for TLS & S/MIME] - source code download
* [https://github.com/certlint/certlint BR Lint Certificate Test] - source code download
* [https://github.com/zmap/zlint ZLint - Certificate Test of Mozilla's and others' requirements] - source code download
* [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download
* [[CA:TestErrors|Common Test Errors]]


The following Mozilla public forums are relevant to CA evaluation and related issues. Note that each forum can be accessed either as a mailing list or a  newsgroup (using an NNTP-newsreader or the Google Groups service).
== Information for Auditors ==
* Policy forum. This forum is used for discussions of Mozilla policies related to security in general and CAs in particular; among other things, it is the preferred forum for the public comment phase of CA evaluation.
* [[CA/Audit_Statements#Auditor_Qualifications|Auditor Qualifications]]
** newsgroup: [http://groups.google.com/group/mozilla.dev.security.policy/topics?pli=1 mozilla.dev.security.policy]
* [[CA/Auditor_Compliance|Auditor Compliance Dashboard]]
** mailing list: [https://lists.mozilla.org/listinfo/dev-security dev-security-policy@mozilla.org]
* [[CA/BR_Audit_Guidance|Guidance on doing Baseline Requirements audits]]
* Crypto forum. This forum is used for discussions of the [http://www.mozilla.org/projects/security/pki/nss/ NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [http://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox, et.al. Note that this forum was previously used to discuss CA request, but such discussions should now be moved to the policy forum.
* [[CA/Auditor_Mistakes|Mistakes we have seen auditors make]] and their consequences
** newsgroup: [http://groups.google.com/group/mozilla.dev.tech.crypto/topics?pli=1 mozilla.dev.tech.crypto]
** mailing list: [https://lists.mozilla.org/listinfo/dev-tech-crypto dev-tech-crypto@mozilla.org]
* Security forum. This forum is used for discussions of Mozilla security issues in general. Crypto-related discussions should be moved to mozilla.dev.tech.crypto.
** newsgroup: [http://groups.google.com/group/mozilla.dev.security/topics?pli=1 mozilla.dev.security]
** mailing list: [https://lists.mozilla.org/listinfo/dev-security dev-security@mozilla.org]


== Work in Progress ==
== Information for the Public ==
* [https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ Why Does Mozilla Maintain Our Own Root Certificate Store?]
* [https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ What is the Common CA Database (CCADB)?]
* [[CA/FAQ|FAQ About Certificates and CAs]]
* [https://ccadb.my.salesforce-sites.com/mozilla/ProblemReportingMechanismsReport List of CA problem reporting mechanisms (email, etc.)] (use this to report a certificate problem directly to the CA)
* [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance Report an Incident to Mozilla] (be sure to click the "Security" checkbox if it is a [https://www.mozilla.org/en-US/security/#For_Developers security-sensitive incident])
* [[CA/Terminology|Glossary of CA and Certificate Terminology]]
* [[CA/Changing_Trust_Settings|Changing Certificate Trust Settings in Firefox]]
** [[CA/Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate|Manually import a root certificate into Firefox]]
* [https://certviewer-dot-ccadb-231121.appspot.com/certviewer Certificate Viewer] -- can also be installed/run locally (see [https://github.com/mozilla/CCADB-Tools/tree/master/certViewer ReadMe])
* [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker]
* [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker]
* [[CA/Revocation_Checking_in_Firefox|How Firefox performs revocation checking]]
* [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance)
* [https://ccadb.my.salesforce-sites.com/mozilla/CAAIdentifiersReport List of CAA Identifiers] (used to restrict issuance of certificates to specific CAs via a [https://tools.ietf.org/html/rfc6844 DNS Certification Authority Authorization Resource Record])
* [[CA/AddRootToFirefox|How to install your own root certificate in Firefox]]


* [http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/ DRAFT of proposed next version of Mozilla's CA Certificate Policy]
== Discussion Forums ==
* [[NSS:BurnDownList | SSL Burn Down List]] -- Collecting/prioritizing NSS and PSM work.
* [[CA:OCSP-HardFail | OCSP Hard Fail]] -- What needs to be done before we can set OCSP to hard fail by default?
* [[CA:CAInclusionProcessIssues | Sandbox for identifying and resolving issues with the CA Inclusion Process]]


== Templates ==
The following public forums are relevant to CA evaluation and related issues.


The following are templates created by Gerv Markham for use by the Mozilla representative(s) responsible for working on CA requests. Except as noted the templates are used in creating comments for the bug report associated with a CA request.
===== CCADB =====
* '''[https://groups.google.com/a/ccadb.org/g/public CCADB Public mailing list''' is used to conduct a six-week public discussion of CA root inclusion requests and to discuss important lessons learned from CA incident reports. See https://www.ccadb.org/cas/public-group for more information.


* [[CA:Information_template|CA information]]
===== MDSP =====
* [[CA:Nonenglish_template|Documents not in English]]
* '''[https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list''' is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page.
* [[CA:Confirm_template|Please confirm information]]
* [[CA:Tentative_approval_template|Tentative approval]]
* [[CA:Tentative_approval_post_template|Tentative approval (newsgroup post)]]
* [[CA:Inclusion_template|Inclusion in NSS]]


== Obsolete ==
===== Other MDSP Mail Archives =====
* '''New MDSP Messages''' (since August 2021)


The following items are obsolete, and have been replaced by other links provided above.
(HTML): https://www.mail-archive.com/dev-security-policy@mozilla.org/


* [[CA:Root_Certificate_Requests|Applying for inclusion of CA root certificates]]. This wiki page has been replaced by [[CA:How_to_apply|A guide for CAs]].
(RSS): https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml
* [[CA:Root_Removal_Policy_Notes|Root Removal Policy Discussion]]. This wiki page is used to review and comment on the proposed policy and process for removing a CA root certificate.
 
* '''Old MDSP Messages''' (until April 2021)
 
(HTML): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/
 
(RSS): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/maillist.xml
 
===== Other Forums =====
* [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [https://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox.
* For other discussions of Mozilla security issues:
** [https://discourse.mozilla.org/c/security/ Mozilla's Security Web forum] is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet.
** [https://discourse.mozilla.org/tags/c/firefox-development/privacy-and-security Mozilla's privacy-and-security forum] is a place to discuss issues and questions specific to privacy and security.
** [https://chat.mozilla.org/#/room/#security:mozilla.org chat on Matrix] may also be used
Bwilson
Confirmed users
377

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/479051...1250732"