CA: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Add revocation checking link)
 
(52 intermediate revisions by 4 users not shown)
Line 2: Line 2:
= Mozilla's CA Certificate Program =
= Mozilla's CA Certificate Program =


Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the [[Modules/Activities#CA_Certificates|CA Certificates Module]];  the policy itself is overseen by the module owner and peers of the [[Modules/Activities#Mozilla_CA_Certificate_Policy|CA Certificate Policy Module]].
Mozilla’s CA Certificate Program governs inclusion of root [https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates certificates] in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Network Security Services (NSS),] a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the [[Modules/Activities#CA_Certificates|CA Certificates Module]];  the policy itself is overseen by the module owner and peers of the [[Modules/Activities#Mozilla_CA_Certificate_Policy|CA Certificate Policy Module]].


== Policy ==
== Policy ==


* [http://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2.6.1)
* [https://www.mozilla.org/projects/security/certs/policy/ Root Store Policy] (current stable version: 2.9)
* [[CA/Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
* [[CA/Communications | CA Communications]] and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
* [[CA/Root_Store_Policy_Archive|Root Store Policy Archive]]
* [[CA/Root_Store_Policy_Archive|Root Store Policy Archive]]
Line 12: Line 12:
** [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker]
** [https://github.com/mozilla/pkipolicy/issues Root Store Policy Issue Tracker]
** [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version)
** [https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Latest draft of Root Store Policy] (will become the next version)
* [[CA/Transition_SMIME_BRs|Transition to S/MIME BRs]]


== Lists of CAs and Certificates ==
== Lists of CAs and Certificates ==
 
* [https://www.ccadb.org/rootstores/usage#ccadb-data-usage-terms Data Usage Terms]
* [[CA/Included_CAs|Included CAs]] (in the Root Program and in Firefox)
* [[CA/Included_CAs|Included CAs]] (in the Root Program and in Firefox)
* [[CA/Included_Certificates|Included CA Certificates]]
* [[CA/Included_Certificates|Included CA Certificates]]
Line 24: Line 25:
== Program Administration ==
== Program Administration ==


Most information relating to the administration of our program is stored either in [https://bugzilla.mozilla.org/ Bugzilla] or in the [http://ccadb.org/ Common CA Database].
Most information relating to the administration of our program is stored either in [https://bugzilla.mozilla.org/ Bugzilla] or in the [https://ccadb.org/ Common CA Database].


* [[CA/Dashboard|Certificate Change Request Dashboard]] - tracks applications and trust changes through the process in Bugzilla
* [[CA/Dashboard|Certificate Change Request Dashboard]] - tracks applications and trust changes through the process in Bugzilla
** [[CA/Prioritization|Certificate Change Prioritization]]
* [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB
* [[CA/Certificate_Change_Requests|Certificate Change Requests]] as tracked in the CCADB
* [[CA/Incident_Dashboard|Incident and Compliance Dashboard]]
* [[CA/Incident_Dashboard|Incident and Compliance Dashboard]]
* [[CA/Bug_Triage|Bugzilla Bug Triage Process]]
** [[CA/Maintenance_and_Enforcement#Issues_Lists|CA Issues Lists]]
* [[CA/CCADB_Dashboard|CCADB Dashboard]]
* [[CA/Bug_Triage|Bugzilla Bug Triage Process]] - also lists whiteboard tags
* [[CA/Email_templates|Email Templates used by CCADB]]
* [[CA/Email_templates|Email Templates used by CCADB]]


Line 38: Line 42:


== Information for CAs ==
== Information for CAs ==
* [http://ccadb.org/cas/ CCADB Login]
* [https://ccadb.org/cas/ CCADB Login]
* [[CA/Audit_Statements|Audit_Statements]]
* [[CA/Responding_To_An_Incident|Responding to an Incident]] (such as a misissuance)
* [[CA/Responding_To_An_Incident|Responding to an Incident]] (such as a misissuance)
* [[CA/Vulnerability_Disclosure|Disclosing a Vulnerability or Security Incident]]
* [[CA/Application_Process|Application Process for Mozilla's Root Program]]
* [[CA/Application_Process|Application Process for Mozilla's Root Program]]
** [[CA/BR_Self-Assessment|Baseline Requirements Self Assessment]]
** [[CA/Quantifying_Value|Quantifying Value: Information Expected of New Applicants]]
** [[CA/Compliance_Self-Assessment|Compliance Self Assessment]]
*** [[CA/CPS_Review|Previous reviews of CP/CPS documents]]
** [[CA/Information_Checklist|CA Information Checklist]]
** [[CA/Information_Checklist|CA Information Checklist]]
** [[CA/Subordinate_CA_Checklist|Subordinate CA Information Checklist]]
** [[CA/Subordinate_CA_Checklist|Subordinate CA Information Checklist]]
* [[CA/Certificate_Change_Process|Making Changes to Included Roots]]
* [[CA/External_Sub_CAs|Approval Process for Externally Operated Subordinate CAs]]
* [[CA/Certificate_Change_Process|Change or Remove an Included Root Certificate]]
* [[CA/Root_CA_Lifecycles|Root CA Lifecycles]]
* [[CA/Required_or_Recommended_Practices|Required or Recommended CA Practices]]
* [[CA/Required_or_Recommended_Practices|Required or Recommended CA Practices]]
* [[CA/Forbidden_or_Problematic_Practices|Forbidden or Problematic CA Practices]]
* [[CA/Root_Inclusion_Considerations|Root Inclusion Considerations]] -- This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.
* [[CA/Maintenance_and_Enforcement|Maintenance and Enforcement]]
** [[CA/Forbidden_or_Problematic_Practices|Forbidden or Problematic CA Practices]]
** [[CA/Maintenance_and_Enforcement|Maintenance and Enforcement]]
* [[SecurityEngineering/Certificate_Verification|How Firefox Performs Certificate Verification]] and path construction
* [[CA/EV_Processing_for_CAs | How Firefox Processes EV Certificates]]
* [[CA/EV_Processing_for_CAs | How Firefox Processes EV Certificates]]
* Revocation
** [[CA/Revocation_Checking_in_Firefox|How Firefox Performs Revocation Checking]]
** [[CA/Revocation_Reasons|Revocation Reasons for TLS Server Certificates]]
* [[PSM:EV_Testing_Easy_Version|EV Readiness Test]]
* [[PSM:EV_Testing_Easy_Version|EV Readiness Test]]
* [https://github.com/awslabs/certlint BR Lint Certificate Test] - source code download
 
* [https://github.com/digicert/pkilint PKI Lint Tool for TLS & S/MIME] - source code download
* [https://github.com/certlint/certlint BR Lint Certificate Test] - source code download
* [https://github.com/zmap/zlint ZLint - Certificate Test of Mozilla's and others' requirements] - source code download
* [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download
* [https://github.com/kroeckx/x509lint X.509 Lint Certificate Test] - source code download
* [[CA:TestErrors|Common Test Errors]]
* [[CA:TestErrors|Common Test Errors]]


== Information for Auditors ==
== Information for Auditors ==
 
* [[CA/Audit_Statements#Auditor_Qualifications|Auditor Qualifications]]
* [[CA/Auditor_Compliance|Auditor Compliance Dashboard]]
* [[CA/Auditor_Compliance|Auditor Compliance Dashboard]]
* [[CA/BR_Audit_Guidance|Guidance on doing Baseline Requirements audits]]
* [[CA/BR_Audit_Guidance|Guidance on doing Baseline Requirements audits]]
Line 62: Line 80:
== Information for the Public ==
== Information for the Public ==
* [https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ Why Does Mozilla Maintain Our Own Root Certificate Store?]
* [https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ Why Does Mozilla Maintain Our Own Root Certificate Store?]
* [https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ What is the Common CA Database (CCADB)?]
* [[CA/FAQ|FAQ About Certificates and CAs]]
* [[CA/FAQ|FAQ About Certificates and CAs]]
* [https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport List of CA problem reporting mechanisms (email, etc.)] (use this to report a certificate problem directly to the CA)
* [https://ccadb.my.salesforce-sites.com/mozilla/ProblemReportingMechanismsReport List of CA problem reporting mechanisms (email, etc.)] (use this to report a certificate problem directly to the CA)
* [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance Report an Incident to Mozilla] (be sure to click the "Security" checkbox if it is a [https://www.mozilla.org/en-US/security/#For_Developers security-sensitive incident])
* [https://bugzilla.mozilla.org/enter_bug.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance Report an Incident to Mozilla] (be sure to click the "Security" checkbox if it is a [https://www.mozilla.org/en-US/security/#For_Developers security-sensitive incident])
* [[CA/Upcoming_Distrust_Actions|Significant upcoming CA Distrust Actions]]
* [[CA/Terminology|Glossary of CA and Certificate Terminology]]
* [[CA/Terminology|Glossary of CA and Certificate Terminology]]
* [[PSM:Changing_Trust_Settings|Changing Certificate Trust Settings in Firefox]]
* [[CA/Changing_Trust_Settings|Changing Certificate Trust Settings in Firefox]]
* [https://tls-observatory.services.mozilla.com/static/certsplainer.html Mozilla's Certificate Explainer]
** [[CA/Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate|Manually import a root certificate into Firefox]]
* [https://certviewer-dot-ccadb-231121.appspot.com/certviewer Certificate Viewer] -- can also be installed/run locally (see [https://github.com/mozilla/CCADB-Tools/tree/master/certViewer ReadMe])
* [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker]
* [https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Server Quality Checker]
* [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker]
* [https://observatory.mozilla.org/ Mozilla SSL Server Quality Checker]
* [[CA/Revocation_Checking_in_Firefox|How Firefox performs revocation checking]]
* [[CA/Revocation_Checking_in_Firefox|How Firefox performs revocation checking]]
* [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance)
* [https://certificate.revocationcheck.com/ Certificate Revocation Checker] (also checks CRL and OCSP server quality and compliance)
* [https://ccadb-public.secure.force.com/mozilla/CAAIdentifiersReport List of CAA Identifiers] (used to restrict issuance of certificates to specific CAs via a [https://tools.ietf.org/html/rfc6844 DNS Certification Authority Authorization Resource Record])
* [https://ccadb.my.salesforce-sites.com/mozilla/CAAIdentifiersReport List of CAA Identifiers] (used to restrict issuance of certificates to specific CAs via a [https://tools.ietf.org/html/rfc6844 DNS Certification Authority Authorization Resource Record])
* [[CA/AddRootToFirefox|How to install your own root certificate in Firefox]]
* [[CA/AddRootToFirefox|How to install your own root certificate in Firefox]]


== Discussion Forums ==
== Discussion Forums ==


The following Mozilla public forums are relevant to CA evaluation and related issues. Each forum can be accessed either as a mailing list, over the web or as a newsgroup.
The following public forums are relevant to CA evaluation and related issues.  
 
===== CCADB =====
* '''[https://groups.google.com/a/ccadb.org/g/public CCADB Public mailing list''' is used to conduct a six-week public discussion of CA root inclusion requests and to discuss important lessons learned from CA incident reports. See https://www.ccadb.org/cas/public-group for more information.
 
===== MDSP =====
* '''[https://groups.google.com/a/mozilla.org/g/dev-security-policy Mozilla's dev-security-policy (MDSP)] mailing list''' is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page.
 
===== Other MDSP Mail Archives =====
* '''New MDSP Messages''' (since August 2021)
 
(HTML): https://www.mail-archive.com/dev-security-policy@mozilla.org/
 
(RSS): https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml
 
* '''Old MDSP Messages''' (until April 2021)
 
(HTML): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/
 
(RSS): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/maillist.xml


* [https://www.mozilla.org/en-US/about/forums/#dev-security-policy mozilla.dev.security.policy] (MDSP). This forum is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the [[CA/Policy_Participants|Policy Participants]] page.
===== Other Forums =====
* [https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto mozilla.dev.tech.crypto]. This forum is used for discussions of the [http://www.mozilla.org/projects/security/pki/nss/ NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [http://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox.
* [https://groups.google.com/a/mozilla.org/g/dev-tech-crypto Mozilla's dev-tech-crypto] mailing list is used for discussions of the [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] cryptographic library used in Firefox and other Mozilla-based products, as well as the [https://www.mozilla.org/projects/security/pki/psm/ PSM] module that implements higher-level security protocols for Firefox.
* [https://www.mozilla.org/en-US/about/forums/#dev-security mozilla.dev.security]. This forum is used for discussions of Mozilla security issues in general.
* For other discussions of Mozilla security issues:
** [https://discourse.mozilla.org/c/security/ Mozilla's Security Web forum] is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet.
** [https://discourse.mozilla.org/tags/c/firefox-development/privacy-and-security Mozilla's privacy-and-security forum] is a place to discuss issues and questions specific to privacy and security.
** [https://chat.mozilla.org/#/room/#security:mozilla.org chat on Matrix] may also be used

Latest revision as of 16:35, 8 May 2024

Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the CA Certificates Module; the policy itself is overseen by the module owner and peers of the CA Certificate Policy Module.

Policy

Lists of CAs and Certificates

Program Administration

Most information relating to the administration of our program is stored either in Bugzilla or in the Common CA Database.

crt.sh

Information for CAs

Information for Auditors

Information for the Public

Discussion Forums

The following public forums are relevant to CA evaluation and related issues.

CCADB
MDSP
  • Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.
Other MDSP Mail Archives
  • New MDSP Messages (since August 2021)

(HTML): https://www.mail-archive.com/dev-security-policy@mozilla.org/

(RSS): https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

  • Old MDSP Messages (until April 2021)

(HTML): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/

(RSS): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/maillist.xml

Other Forums
  • Mozilla's dev-tech-crypto mailing list is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
  • For other discussions of Mozilla security issues:
Retrieved from "https://wiki.allizom.org/index.php?title=CA&oldid=1250732"