CA/Communications

From MozillaWiki
< CA
Revision as of 17:59, 8 September 2011 by Kathleen Wilson (talk | contribs) (Created page with "The following are communications that have been sent to Certification Authorities participating in Mozilla's root program. === September 8, 2011 === '''Subject:''' Mozilla Commu...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The following are communications that have been sent to Certification Authorities participating in Mozilla's root program.

September 8, 2011

Subject: Mozilla Communication: Immediate action requested

Dear Certification Authority,

This note requests a set of immediate actions on your behalf, as a participant in the Mozilla root program.

Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates (https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up). If you ever have reason to suspect a security breach or mis-issuance has occurred at your CA or elsewhere, please contact security@mozilla.org immediately.

Please confirm completion of the following actions or state when these actions will be completed, and provide the requested information no later than September 16, 2011:

1) Audit your PKI and review your systems to check for intrusion or compromise. This includes all third party CAs and RAs.

2) Send a complete list of CA certificates from other roots in our program that your roots (including third party CAs and RAs) have cross-signed. A listing of all root certificates in Mozilla's products is here: http://www.mozilla.org/projects/security/certs/included

3) Confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance.

4) Confirm that you have automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Please further confirm your process for manually verifying such requests, when blocked.

5) For each external third party (CAs and RAs) that issues certificates or can directly cause the issuance of certificates within the hierarchy of the root certificate(s) that you have included in Mozilla products, either:

a) Implement technical controls to restrict issuance to a specific set of domain names which you have confirmed that the third party has registered or has been authorized to act for (e.g. RFC5280 x509 dNSName name constraints, marked critical)

OR

b) Send a complete list of all third parties along with links to each of their corresponding Certificate Policy and/or Certification Practice Statement and provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations.

Each action requested above applies both to your root and to these third parties.

Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your participation in this pursuit.

Regards, Kathleen Wilson Module Owner of Mozilla's CA Certificates Module

Retrieved from "https://wiki.allizom.org/index.php?title=CA/Communications&oldid=347786"