|
|
| (23 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| The [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#4-common-ca-database Common CA Database (CCADB)] uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly.
| | #REDIRECT [[CA/Audit_Statements]] |
| * [https://www.ccadb.org/policy#51-audit-statement-content Audit Statement Requirements and Format Rules] - If an audit statement fails to meet any of these requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
| |
| | |
| = Root Certificates =
| |
| CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit], [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP, CPS] and test website information for their certificate hierarchies at least annually. To provide this information for root certificates, [https://www.ccadb.org/cas/updates#audit-case-workflow create one Audit Case] in the CCADB for a particular set of audits (e.g. Standard Audit, BR audit, EV Audit). Then create a set of corresponding Root Cases, one per root certificate, to tell the CCADB which Root Certificate records the audit statements in that Audit Case apply to.
| |
| * [https://www.ccadb.org/cas/updates#audit-case-workflow Audit Case Work Flow]
| |
| * [https://www.ccadb.org/cas/updates#instructions Detailed Instructions]
| |
| ** [https://www.ccadb.org/cas/updates#information-required Information Required to create an Audit Case]
| |
| * [https://www.ccadb.org/cas/updates#test-preliminary-audit-statements Run ALV on Preliminary Audit Statements]
| |
| | |
| == Common ALV Findings ==
| |
| | |
| == Resolve ALV Findings in Audit Case ==
| |
| | |
| = Intermediate Certificates =
| |
| CAs are required to update the audit, CP, CPS and test website information for their certificate hierarchies at least annually.
| |
| CAs are expected to maintain their intermediate certificate records themselves and to directly enter the corresponding updated audit statements.
| |
| | |
| == ALV on Intermediate Certificate Records ==
| |
| | |
| == CA Task List ==
| |
| | |
| == Resolve ALV Findings in Intermediate Certificate ==
| |
| | |
| | |
| = Background =
| |
| Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates.
| |
| <br /><br />
| |
| There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 2,500 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store. To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
| |
| * [https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/8QB-G-CUBwAJ Progress towards enforcement at intermediate certificate level]
| |