|
|
| (2 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| This page was created so people can add and track progress of resolving issues/concerns with Mozilla's current CA Inclusion Process.
| |
|
| |
|
| == Issues currently being worked on ==
| |
|
| |
| As [http://www.mozilla.org/projects/security/certs/policy/ Mozilla's CA Certificate Policy] is updated, CAs with root certs included in NSS are given a [https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Updated_Policy time frame to come into compliance with the new rules.] The new rules are also applied to CAs with requests in the queue for discussion.
| |
|
| |
| Here are issues with Mozilla's CA Inclusion Process that are currently being worked on, and the actions that are being taken.
| |
|
| |
| Accountability of sub-CAs
| |
| * [http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html Draft update to the Mozilla CA Certificate Policy] in progress to require subCAs to either be technically constrained or be audited according to Mozilla's CA Certificate Policy.
| |
| * CAs requesting root inclusion or updates have to provide the information in the [https://wiki.mozilla.org/CA:SubordinateCA_checklist Checklist for Subordinate CAs]
| |
|
| |
| The current WebTrust and ETSI audits don't sufficiently check network security protections.
| |
| * [https://wiki.mozilla.org/CA:Communications#September_8.2C_2011 CA Communication sent to CAs in September.] All CAs must appropriately respond to that communication and provide further information in those areas before their inclusion request may enter public discussion.
| |
| * Updating [http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html Mozilla's CA Certificate Policy] to add a requirement for CAs to comply with the [http://www.cabforum.org/ CA/Browser Forum’s Baseline Requirements,] and be audited to those criteria. In particular, BR 16 addresses data security, risk assessment, security, plan, system security, and private key protection. This is currently in discussion in m.d.s.policy. CAB Forum is working to have audits include the BRs by the end of 2012.
| |
|
| |
| == Issues that need to be addressed ==
| |
|
| |
| The following are issues with Mozilla's CA Inclusion Process that people would like to have addressed.
| |
|
| |
| * CA requests sit in the [https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Queue for Public Discussion] for up to a year.
| |