CA/Information Checklist: Difference between revisions

Jump to navigation Jump to search

CA/Information Checklist (view source)

Revision as of 02:40, 9 February 2019

1,903 bytes added ,  9 February 2019
Added instructions to create a Root Inclusion Case in CCADB
m (added more instruction regarding the Template.)
(Added instructions to create a Root Inclusion Case in CCADB)
Line 3: Line 3:
In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.
In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.


CAs wishing to have their certificates included in Mozilla products must comply with the requirements of the [https://www.mozilla.org/about/governance/policies/security-group/certs/policy Mozilla Root Store Policy] and must supply the information necessary to determine whether or not the policy’s requirements have been satisfied. The information must be provided in a [[CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request|Mozilla Bugzilla bug]] as described in [[CA/Application_Process|Mozilla's Application Process Overview]]. This information includes (but is not necessarily limited to) the information listed in this page.
== Example and Template ==
The example and template below list the information that must be provided by the CA in their root inclusion or update request as per step 1 of [[CA/Application_Process#Process_Overview|Mozilla's Application Process]].
* [https://docs.google.com/document/d/1lKSW0WqThxeIMzQwyo7-uwqF8hH3e069lHW2KE78vAM/edit?usp=sharing Template (Google Doc)] -- If your CA does not currently have access to the CCADB, then this is the form to fill in. Download it from Google Docs, fill it in, and attach to your Bugzilla Bug.
** Note that the certificate data will be extracted directly from the PEM of the certificate, so the CA should attach the PEM of the root certificate to the Bugzilla bug, or provide a link to the certificate on their website.
* [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] -- an Example Root Inclusion Case in CCADB. If your CA currently has access to the CCADB, then you may create a Root Inclusion Case as described below.


The information provided by the CA will be verified by a representative of Mozilla to the maximum extent practicable using CAs’ published documentation. Statements attributed to third parties (e.g., auditors) shall be verified with those parties. The information gathered should be published through the appropriate Mozilla channels (e.g., web sites, bug reports, and/or discussion forums).
Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via the Bugzilla bug report or a Case in the CCADB.
 
== Example and Template ==


The template and example below show the information that the CA must provide for a root inclusion/update request.
== Create a Root Inclusion Case ==
* [https://docs.google.com/document/d/1lKSW0WqThxeIMzQwyo7-uwqF8hH3e069lHW2KE78vAM/edit?usp=sharing Template (Google Doc)] -- This is the form to fill in. Download it from Google Docs, fill it in, and attach to your Bugzilla Bug.
If your CA currently has access to the CCADB, then enter your information directly as described below.
* [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] -- an Example Root Inclusion Case in CCADB
# [https://ccadb.org/cas/getting-started Login to the CCADB.]
* Note that the certificate data will be extracted directly from the PEM of the certificate, so the CA should attach the PEM of the root certificate to the Bugzilla bug, or provide a link to the certificate on their website.
#Create a [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Root Inclusion Case] in the CCADB - one Case per set of audit statements.
#*Navigate to the CA Owner Record for your CA.
#**Click on “CA Owners/Certificates” tab, then in “View:” select “Community User’s CA Owners/Root Certs” and click on “Go!”.
#**Click on the “CA Owner/Certificate Name” of your CA’s Owner record.
#*Scroll down to the ‘Cases’ section.
#*Click on the ‘New Case’ button, and select “CA Root Inclusion Request”.
#Click on the ‘Submit’ button to create the new Root Inclusion Case.
#*For our use, the ‘Submit’ button is the ‘Save’ button. (Salesforce doesn’t currently let us change the name of this particular button.)
#*You may click on ‘Edit’ and ‘Submit’ as many times as you need to get all of your information entered.
#Click on the “Copy Audit Info” button, to copy data from a root cert already in the CCADB (if applicable).
#Click on the ‘Add/Update Root Cases’ button to add the PEM for the new root cert or to indicate which existing root certs are part of this root inclusion or update request.
#*For each root certificate to be considered in your request, check the boxes corresponding to the audit statements that apply. Then click on the “Apply Changes” button. This will create corresponding Root Cases.
#Click on the ‘Edit Test Websites’ button to enter the test websites for new root certs if you are requesting the Websites (TLS/SSL) trust bit.
#Click on the ‘Audit Letter Validation (ALV)’ button, and work with your auditor to resolve all problems.
#Fill in the remaining information in your Case and Root Cases.
#*Scroll down to the “Mozilla Additional Requirements” section and click on the “Print NEED Fields” to see where further information is needed.
#Click on the ‘Get URLs’ button and copy the line that begins with “Mozilla Root Inclusion Case Information:” into a Comment in your Bugzilla Bug. The line to copy and paste into the Bugzilla Bug looks like:
#*Mozilla Root Inclusion Case Information: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341
#*This will trigger step 2 of Mozilla’s root inclusion process.


Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via the Bugzilla bug report.
Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know to re-check the information.


== CA Primary Point of Contact (POC) ==
== CA Primary Point of Contact (POC) ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/Special:MobileDiff/1207456"

Navigation menu