CA: Difference between revisions

CA-related Documents (Work in Progress)

Note: This page and related pages contain unofficial documents related to Mozilla and Certification Authorities, including draft policies, notes, and related information. The www.mozilla.org site contains all official CA-related Mozilla documents, including the Mozilla CA Certificate Policy, the list of pending CA requests, and the list of included CAs.

Work in progress

• A guide for CAs wishing to apply for inclusion of their root CA certificates.
• Checklist of CA information required to process a CA's application
• Recommended practices for CAs wishing to have their root CA certificates included in Mozilla products
• Potentially problematic CA practices. This discusses CA practices that are not explicitly forbidden by the Mozilla CA policy, and do not necessarily pose security issues, but that some people have expressed concerns about and that may cause delays in evaluating and approving CA applications. Some of these practices may be addressed in future versions of the Mozilla CA policy.
• List of included root certificates, also available in pdf
• Queue for Public Discussion of CA evaluations
• EV certificates and revocation checking. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates.
• Glossary of CA- and Mozilla-related terms. Useful for following Mozilla CA-related discussions.
• Certificate download specification. This document describes the data formats used by Mozilla products for installing certificates.
• Technical recommendations for root certificates. This is a very first-cut attempt to outline what root certificates should contain, based on the relevant RFCs as supplemented by existing practices.
• Checklist for Subordinate CAs and CSPs Information needed when subordinate CAs are operated by third parties.
• Root Removal Policy Discussion. This wiki page is used to review and comment on the proposed policy and process for removing a CA root certificate.

Discussion forums

The following Mozilla public forums are relevant to CA evaluation and related issues. Note that each forum can be accessed either as a mailing list or a newsgroup (using an NNTP-newsreader or the Google Groups service).

• Policy forum. This forum is used for discussions of Mozilla policies related to security in general and CAs in particular; among other things, it is the preferred forum for the public comment phase of CA evaluation.
  • newsgroup: mozilla.dev.security.policy
  • mailing list: dev-security-policy@mozilla.org
• Crypto forum. This forum is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox, et.al. Note that this forum was previously used to discuss CA request, but such discussions should now be moved to the policy forum.
  • newsgroup: mozilla.dev.tech.crypto
  • mailing list: dev-tech-crypto@mozilla.org
• Security forum. This forum is used for discussions of Mozilla security issues in general. Crypto-related discussions should be moved to mozilla.dev.tech.crypto.
  • newsgroup: mozilla.dev.security
  • mailing list: dev-security@mozilla.org

Templates

The following are templates created by Gerv Markham for use by the Mozilla representative(s) responsible for working on CA requests. Except as noted the templates are used in creating comments for the bug report associated with a CA request.

• CA information
• Documents not in English
• Please confirm information
• Tentative approval
• Tentative approval (newsgroup post)
• Inclusion in NSS

Obsolete

The following items are obsolete and will be removed.

• Applying for inclusion of CA root certificates. This gives step-by-step instructions on how to apply to Mozilla to have your CA's root certificate(s) included in Mozilla products. Note: This wiki page has been replaced by A guide for CAs.