CA: Difference between revisions
Jump to navigation
Jump to search
| Line 32: | Line 32: | ||
=== How To ... === | === How To ... === | ||
* [[CA:UserCertDB|User Root Certificate Settings]] -- How to override the default root settings in Mozilla products. | |||
* [[PSM:EV_Testing_Easy_Version | EV Testing in Firefox:]] Explains how you can test that your CA certificate (that you want to enable for EV) and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software). | * [[PSM:EV_Testing_Easy_Version | EV Testing in Firefox:]] Explains how you can test that your CA certificate (that you want to enable for EV) and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software). | ||
** [[CA:EV_Revocation_Checking|EV certificates and revocation checking]]. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates. | ** [[CA:EV_Revocation_Checking|EV certificates and revocation checking]]. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates. | ||
* [[CA:Glossary|Glossary of CA- and Mozilla-related terms]]. Useful for following Mozilla CA-related discussions. | * [[CA:Glossary|Glossary of CA- and Mozilla-related terms]]. Useful for following Mozilla CA-related discussions. | ||
* [[CA:Certificate Download Specification|Certificate download specification]]. This document describes the data formats used by Mozilla products for installing certificates. | * [[CA:Certificate Download Specification|Certificate download specification]]. This document describes the data formats used by Mozilla products for installing certificates. | ||
=== Discussion forums === | === Discussion forums === | ||
Revision as of 19:48, 10 October 2012
Policy and Included CAs
- Spreadsheet of all included root certificates
- CAs with certificates included in the Mozilla project Root CA store after March 1st, 2007 and the information that was considered during the inclusion process.
- NSS:Release_Versions -- Mapping of Root Cert Inclusion Bugs to Mozilla Product Releases
- Pending CA requests -- CAs who have applied for inclusion of their certificates in the Mozilla project Root CA store, and whose applications are pending. Also CAs who have applied to add trust bits or enable EV for certificates that are already included in Mozilla's Root CA store, and their applications are pending.
- Updating Mozilla CA Certificate Policy: How the policy is updated, transitioning to new versions of the policy, things to discuss in regards to updating the Mozilla CA Certificate Policy.
- Dates for Phasing out MD5-based signatures and 1024-bit moduli
CA Communications
How to Apply for Root Inclusion or Changes
- Process Overview
- How to Apply -- A guide for CAs wishing to include their certificate in Mozilla's Root CA store, and also a guide for CAs wishing to add trust bits or enable EV for a certificate that is already included in Mozilla's Root CA store.
- Root Change Process. This wiki page describes how to change a root certificate that is currently included in NSS. This includes the process for disabling or removing a root certificate from NSS.
- Checklist of CA information required to process a CA's application
- Recommended practices for CAs wishing to have their root CA certificates included in Mozilla products
- Potentially problematic CA practices. This discusses CA practices that are not explicitly forbidden by the Mozilla CA policy, and do not necessarily pose security issues, but that some people have expressed concerns about and that may cause delays in evaluating and approving CA applications. Some of these practices may be addressed in future versions of the Mozilla CA policy.
- Queue for Public Discussion of CA evaluations
- Technical recommendations for root certificates. This is a very first-cut attempt to outline what root certificates should contain, based on the relevant RFCs as supplemented by existing practices.
- Checklist for Subordinate CAs and CSPs Information needed when subordinate CAs are operated by third parties.
How To ...
- User Root Certificate Settings -- How to override the default root settings in Mozilla products.
- EV Testing in Firefox: Explains how you can test that your CA certificate (that you want to enable for EV) and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software).
- EV certificates and revocation checking. This discusses how revocation checking via OCSP or CRLs affects the UI treatment of EV certificates.
- Glossary of CA- and Mozilla-related terms. Useful for following Mozilla CA-related discussions.
- Certificate download specification. This document describes the data formats used by Mozilla products for installing certificates.
Discussion forums
The following Mozilla public forums are relevant to CA evaluation and related issues. Note that each forum can be accessed either as a mailing list or a newsgroup (using an NNTP-newsreader or the Google Groups service).
- Policy forum. This forum is used for discussions of Mozilla policies related to security in general and CAs in particular; among other things, it is the preferred forum for the public comment phase of CA evaluation.
- newsgroup: mozilla.dev.security.policy
- mailing list: dev-security-policy@mozilla.org
- Crypto forum. This forum is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox, et.al. Note that this forum was previously used to discuss CA request, but such discussions should now be moved to the policy forum.
- newsgroup: mozilla.dev.tech.crypto
- mailing list: dev-tech-crypto@mozilla.org
- Security forum. This forum is used for discussions of Mozilla security issues in general. Crypto-related discussions should be moved to mozilla.dev.tech.crypto.
- newsgroup: mozilla.dev.security
- mailing list: dev-security@mozilla.org
Templates
The following are templates created by Gerv Markham for use by the Mozilla representative(s) responsible for working on CA requests. Except as noted the templates are used in creating comments for the bug report associated with a CA request.
- CA information
- Documents not in English
- Please confirm information
- Tentative approval
- Tentative approval (newsgroup post)
- Inclusion in NSS
Drafts or Works in Progress
- SSL Burn Down List -- collecting/prioritizing bugs
- OCSP Hard Fail -- What needs to be done before we can set OCSP to hard fail by default?
- Sandbox for identifying and resolving issues with the CA Inclusion Process
Obsolete
The following items are obsolete, and have been replaced by other links provided above.
- Applying for inclusion of CA root certificates. This wiki page has been replaced by A guide for CAs.
- Root Removal Policy Discussion. This wiki page is used to review and comment on the proposed policy and process for removing a CA root certificate.