CA/Audit Letter Validation: Difference between revisions

Jump to navigation Jump to search

CA/Audit Letter Validation (view source)

Revision as of 22:34, 3 January 2020

174 bytes removed ,  3 January 2020
continued drafting
(continued drafting)
(continued drafting)
Line 8: Line 8:
** [https://www.ccadb.org/cas/updates#information-required Information Required to create an Audit Case]
** [https://www.ccadb.org/cas/updates#information-required Information Required to create an Audit Case]
* [https://www.ccadb.org/cas/updates#test-preliminary-audit-statements Run ALV on Preliminary Audit Statements]
* [https://www.ccadb.org/cas/updates#test-preliminary-audit-statements Run ALV on Preliminary Audit Statements]
== Common ALV Findings ==
== Resolve ALV Findings in Audit Case ==


= Intermediate Certificates =
= Intermediate Certificates =
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates.
<br /><br />
There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 2,500 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/8QB-G-CUBwAJ Progress towards enforcement at intermediate certificate level]
CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, [https://www.ccadb.org/cas/intermediates directly update the corresponding record in the CCADB] then click on the "Audit Letter Validation [ALV]" button.  
CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, [https://www.ccadb.org/cas/intermediates directly update the corresponding record in the CCADB] then click on the "Audit Letter Validation [ALV]" button.  


== ALV on Intermediate Certificate Records ==
The following two fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run.
The following two fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run.
# Standard Audit ALV Found Cert
# Standard Audit ALV Found Cert
Line 42: Line 41:
When the "Audits Same as Parent" field is checked for an intermediate certificate record in the CCADB, the CCADB will look up the parent chain until audit statements are found, and then run ALV using those audit statements. When the "Audits Same as Parent" field is not checked, the CCADB will directly pass the audit statements in the intermediate certificate record into ALV.
When the "Audits Same as Parent" field is checked for an intermediate certificate record in the CCADB, the CCADB will look up the parent chain until audit statements are found, and then run ALV using those audit statements. When the "Audits Same as Parent" field is not checked, the CCADB will directly pass the audit statements in the intermediate certificate record into ALV.


== CA Task List ==
= Common ALV Findings =
 
<To Do>
== Resolve ALV Findings in Intermediate Certificate ==
 
= Background =
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates.
<br /><br />
There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 2,500 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/8QB-G-CUBwAJ Progress towards enforcement at intermediate certificate level]
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/Special:MobileDiff/1221804"

Navigation menu