CA:CommonCADatabase: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "{{DRAFT}} The CA:SalesforceCommunity page will eventually be migrated to this page, because we plan to change the name "Salesforce CA Community" to...")
 
(Creating initial text)
Line 1: Line 1:
{{DRAFT}}
{{DRAFT}}
= Common CA Database (CCADB) =
The maintenance of net security protocols requires that [https://en.wikipedia.org/wiki/Certificate_authority Certification Authorities (CAs)] provide up-to-date information to root store operators. Historically, CAs have had to separately submit data to multiple, individual root store operators, resulting in inefficiency and duplication of effort. Mozilla maintains a CRM instance for communicating with CAs and managing CA data, called the Common CA Database (CCADB), which is also known as the CA Community in Salesforce.
* A [[CA:CommonCADatabase:RootStoreOperators|Root Store Member]] is any root store operator participating in the Common CA Database via the [[File:MozillaCommonCADatabaseAgreement.pdf|Mozilla Common CA Database Agreement]].
* A '''CA Member''' is any CA participating in the Common CA Database via [https://www.salesforce.com/communities/features/ Community licenses]. CA Members have restricted access to certain parts of the data in the Common CA Database; CA have read-only access to root certificate data, and are able to enter and modify the data regarding intermediate certificates chaining up to their own root certificates.


The [[CA:SalesforceCommunity|CA:SalesforceCommunity]] page will eventually be migrated to this page, because we plan to change the name "Salesforce CA Community" to "Common CA Database".
= Request a license =
CA Community Licenses are granted to CAs in the root store programs of participating root store operators. To request a license:
** Specific instructions for CAs in Microsoft's CA Program -- '''TO DO - ADD LINK'''
** [[CA:SalesforceCommunity|Specific instructions for CAs in Mozilla's CA Program]]  
 
= Getting Started =
After you receive email with your CA Community License, you may login to the Common CA Database by:
# Browse to '''TO DO'''
# Enter your email address that your CA Community License was sent to
# Create a password
 
Upon initial login you will see a row with three tabs:
# CA Owners/Certificates
#* Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". This will list the CA Owner and all of the root and intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record. Within the record you will see an Account Hierarchy section, where you can click on each root or intermediate certificate record to view the data.
#* Click on "CA Owners/Certificates" tab, then in "View:" select "All Included CA Owners" and click on "Go!". You will see all of the CAs who have root certificates included in the NSS root store. Click on the CA Owner Name, to view the record.
#* Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's Intermediate Certs" and click on "Go!". This will list the intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record.
# Contacts
#* Click on "Contacts" tab, then in "View:" select "All Contacts" and click on "Go!". Click on the Name to view the contact record.
#* Note: If any of the contact information for your CA needs to be updated, then send email to Kathleen. CA Community licenses do not enable the CA to directly modify their contact data.
# Reports
#* Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you.
 
Important Notes:
* Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate '''Subject''' Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
* Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate '''Issuer''' Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
* CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the [[Modules/All#CA_Certificates|CA Certificates Module Owner and Peers]] can modify these records.
* CA Community Users can only modify the intermediate certificate records for their CA.
* The Intermediate certificate records have a Status field that may not be modified by CAs.
* When PEM data is provided, the certificate details in the record may not be modified.
* PEM data must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy].

Revision as of 20:59, 4 October 2016

DRAFT
The content of this page is a work in progress intended for review.

Please help improve the draft!

Ask questions or make suggestions in the discussion
or add your suggestions directly to this page.

Common CA Database (CCADB)

The maintenance of net security protocols requires that Certification Authorities (CAs) provide up-to-date information to root store operators. Historically, CAs have had to separately submit data to multiple, individual root store operators, resulting in inefficiency and duplication of effort. Mozilla maintains a CRM instance for communicating with CAs and managing CA data, called the Common CA Database (CCADB), which is also known as the CA Community in Salesforce.

  • A Root Store Member is any root store operator participating in the Common CA Database via the File:MozillaCommonCADatabaseAgreement.pdf.
  • A CA Member is any CA participating in the Common CA Database via Community licenses. CA Members have restricted access to certain parts of the data in the Common CA Database; CA have read-only access to root certificate data, and are able to enter and modify the data regarding intermediate certificates chaining up to their own root certificates.

Request a license

CA Community Licenses are granted to CAs in the root store programs of participating root store operators. To request a license:

Getting Started

After you receive email with your CA Community License, you may login to the Common CA Database by:

  1. Browse to TO DO
  2. Enter your email address that your CA Community License was sent to
  3. Create a password

Upon initial login you will see a row with three tabs:

  1. CA Owners/Certificates
    • Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". This will list the CA Owner and all of the root and intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record. Within the record you will see an Account Hierarchy section, where you can click on each root or intermediate certificate record to view the data.
    • Click on "CA Owners/Certificates" tab, then in "View:" select "All Included CA Owners" and click on "Go!". You will see all of the CAs who have root certificates included in the NSS root store. Click on the CA Owner Name, to view the record.
    • Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's Intermediate Certs" and click on "Go!". This will list the intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record.
  2. Contacts
    • Click on "Contacts" tab, then in "View:" select "All Contacts" and click on "Go!". Click on the Name to view the contact record.
    • Note: If any of the contact information for your CA needs to be updated, then send email to Kathleen. CA Community licenses do not enable the CA to directly modify their contact data.
  3. Reports
    • Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you.

Important Notes:

  • Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate Subject Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
  • Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate Issuer Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
  • CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the CA Certificates Module Owner and Peers can modify these records.
  • CA Community Users can only modify the intermediate certificate records for their CA.
  • The Intermediate certificate records have a Status field that may not be modified by CAs.
  • When PEM data is provided, the certificate details in the record may not be modified.
  • PEM data must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of Mozilla's CA Certificate Inclusion Policy.