Confirmed users, Bureaucrats and Sysops emeriti
882
edits
CA:MaintenanceAndEnforcement: Difference between revisions
→Actively Distrusting a Certificate
| Line 89: | Line 89: | ||
# Report security concern | # Report security concern | ||
#* When a serious security concern is noticed, such as a root or intermediate certificate compromise, it should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed. | #* When a serious security concern is noticed, such as a root or intermediate certificate compromise, it should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed. | ||
#* As per [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] a security concern may be reported by sending email to [mailto:security@mozilla.org security@mozilla.org] or by [https://bugzilla.mozilla.org/enter_bug.cgi? | #* As per [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] a security concern may be reported by sending email to [mailto:security@mozilla.org security@mozilla.org] or by [https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security&bug_severity=critical filing a bug.] | ||
# Decide on course of action | # Decide on course of action | ||
#* Depending on the situation, discussion to determine the course of action may occur in security | #* Depending on the situation, discussion to determine the course of action may occur in private security group email list and/or in the public mozilla.dev.security.policy forum. | ||
#* The bug will be updated to indicate corresponding decisions. | #* The bug will be updated to indicate corresponding decisions. | ||
# Implement Code Change | # Implement Code Change | ||
| Line 105: | Line 105: | ||
# Communication / Announcements | # Communication / Announcements | ||
#* Announcement in mozilla.dev.security.policy | #* Announcement in mozilla.dev.security.policy | ||
#* If the Active Distrust is the result of a security incident, then | #* If the Active Distrust is the result of a security incident, then the Mozilla Security Group will assign a [http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures CVE (security incident number)] and reference the new version of NSS or root module. | ||
#* May send an email communication to all CAs, depending on situation. | #* May send an email communication to all CAs, depending on situation. | ||
#* May post in [ | #* May post in [https://blog.mozilla.org/security/ Mozilla security blog,] depending on situation. | ||
# Result | # Result | ||
#* Users will get an error message when they try to browse to a website that uses (or chains up to) the Actively Distrusted certificate. | #* Users will get an error message when they try to browse to a website that uses (or chains up to) the Actively Distrusted certificate. | ||