CA/Information Checklist: Difference between revisions

From MozillaWiki
< CA
Jump to navigation Jump to search
m (added further clarification)
(Updating to remove duplication with the ccadb.org website and instructions documents)
 
(35 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Information checklist for CAs applying for inclusion in Mozilla =
= Information checklist for CAs applying for inclusion in Mozilla =


In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.
In order to support cryptographic applications, such as those that make TLS connections to web and other servers, and those that sign and encrypt/decrypt email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under such CAs and are associated with, e.g., web servers, and email senders.


== Example and Template ==
== Example and Template ==
The example and template below list the information that must be provided by the CA in their root inclusion or update request as per step 1 of [[CA/Application_Process#Process_Overview|Mozilla's Application Process]].  
The example and template below list the information that must be provided by the CA in their root inclusion or update request as per step 1 of [[CA/Application_Process#Process_Overview|Mozilla's Application Process]].  
* [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] -- an Example Root Inclusion Case in CCADB. If your CA currently has access to the CCADB, then you may '''[[CA/Information_Checklist#Create_a_Root_Inclusion_Case|create a Root Inclusion Case directly]]'''.
* [https://docs.google.com/document/d/1lKSW0WqThxeIMzQwyo7-uwqF8hH3e069lHW2KE78vAM/edit?usp=sharing Template (Google Doc)] -- If your CA does not currently have access to the CCADB, then this is the form to fill in. Download it from Google Docs, fill it in, and attach to your Bugzilla Bug. Note that the certificate data will be extracted directly from the PEM of the certificate, so the CA should attach the PEM of the root certificate to the Bugzilla bug, or provide a link to the certificate on their website.


Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via the Bugzilla bug report or a Case in the CCADB.
* [https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] --  This is what it will look like when you '''[[CA/Information_Checklist#Adding_Root_Certificates_and_Creating_Root_Inclusion_Cases|create a Root Inclusion Case directly]]''' in the CCADB.


== Create a Root Inclusion Case ==
Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via a Case in the CCADB and in a Bugzilla bug report. (Both must be created as they will reference each other.)
If your CA currently has access to the CCADB, then enter your information directly as described below.
# [https://ccadb.org/cas/getting-started Login to the CCADB.]
#Create a [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Root Inclusion Case] in the CCADB - one Case per set of audit statements.
#*Navigate to the CA Owner Record for your CA.
#**Click on “CA Owners/Certificates” tab, then in “View:” select “Community User’s CA Owners/Root Certs” and click on “Go!”.
#**Click on the “CA Owner/Certificate Name” of your CA’s Owner record.
#*Scroll down to the ‘Cases’ section.
#*Click on the ‘New Case’ button, and select “CA Root Inclusion Request”.
#Click on the ‘Submit’ button to create the new Root Inclusion Case.
#*For our use, the ‘Submit’ button is the ‘Save’ button. (Salesforce doesn’t currently let us change the name of this particular button.)
#*You may click on ‘Edit’ and ‘Submit’ as many times as you need to get all of your information entered.
#Click on the “Copy Audit Info” button, to copy data from a root cert already in the CCADB (if applicable).
#Click on the ‘Add/Update Root Cases’ button to add the PEM for the new root cert or to indicate which existing root certs are part of this root inclusion or update request.
#*For each root certificate to be considered in your request, check the boxes corresponding to the audit statements that apply. Then click on the “Apply Changes” button. This will create corresponding Root Cases.
#Click on the ‘Edit Test Websites’ button to enter the test websites for new root certs if you are requesting the Websites (TLS/SSL) trust bit.
#Click on the ‘Audit Letter Validation (ALV)’ button, and work with your auditor to resolve all problems.
#Fill in the remaining information in your Case and Root Cases.
#*Scroll down to the “Mozilla Additional Requirements” section and click on the “Print NEED Fields” to see where further information is needed.
#Click on the ‘Get URLs’ button and copy the line that begins with “Mozilla Root Inclusion Case Information:” into a Comment in your Bugzilla Bug. The line to copy and paste into the Bugzilla Bug looks like:
#*Mozilla Root Inclusion Case Information: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341
#*This will trigger step 2 of Mozilla’s root inclusion process.


IMPORTANT:
== Adding Root Certificates and Creating Root Inclusion Cases ==
* Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know to re-check the information.
=== Access the CCADB ===
* Fields for which a root store operator has set "Data Verified" can not be edited until you ask the root store operator to change the corresponding status back to "Not Verified".
If your CA does not yet have access to the CCADB, then you may request access here:
* https://ccadb.org/cas/request-access
 
Information and instructions for CAs about the CCADB are here:
* https://www.ccadb.org/cas/
 
=== Create an "Add/Update Root Request" case ===
CAs provide information about their CA organization and root certificates by creating an "Add/Update Root Request".
# Create an [https://www.ccadb.org/cas/updates "Add/Update Root Request"] case in the CCADB
#* Detailed Instructions: [https://docs.google.com/document/d/1AUbwbyqCq3jR7wP0fSWjL1us9s4sZIbXGRyo_ko77QM/edit Create an Add/Update Root Request]
# Add new root certificates to the case.
#* In the ROOT INFORMATION tab, click on the "Add/Select Root Certificates" button. Then click on the "Add Root Certificate to CCADB" button and paste the certificate PEM into the window and click on "Validate PEM". If validation is successful, click on the "Create Root Certificate in CCADB" button.
# Completely fill in the information in the five tabs of the "Add/Update Root Request" case: CA OWNER, AUDITS, POLICY DOCUMENTS, ROOT INFORMATION, and TEST WEBSITES.
# Click on the "Submit to Root Store" button.
 
'''Important''':
* Audit statements must meet the requirements listed in [https://www.ccadb.org/policy#51-audit-statement-content section 5.1 of the CCADB Policy] '''and''' [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#3-documentation in section 3 of the Mozilla Root Store Policy].
** Also see Mozilla's [[CA/Audit_Statements#Audit_Lifecycle|audit lifecycle requirements]]
* CCADB automatically converts WebTrust Seal URLs into PDF URLs when you click on ‘Save’
* In each audit statement section in the AUDITS tab, be sure to select "Applicable Root Certificates".
** Click on the inverted triangle ("Edit") to select all of the root certificates covered by the audit.
* If you are requesting that the Websites (TLS) trust bit be enabled for your root certificate(s), then be sure to provide the 3 test websites (valid, expired, revoked) in the TEST WEBSITES tab.
** Click on the "Validate Test Websites" button, resolve all failures, then click on the "Re-run Validation" button to make sure all the websites have Status of PASS.
* Add records to the CCADB for all existing intermediate certificates chaining up to the new root certificate(s).
** https://www.ccadb.org/cas/intermediates
 
=== Create a "Root Inclusion Request" Case ===
After you have provided information to the CCADB about your CA organization and root certificates, you may use a "Root Inclusion Request" case to request that your root certificate(s) be included in Mozilla's root store, update trust bit settings, and/or enable EV treatment.
# Create a [https://www.ccadb.org/cas/inclusion "Root Inclusion Request" Case] in the CCADB
#* Detailed Instructions: [https://docs.google.com/document/d/1FHSbpNJ3CQOcpVqrj66elKQhTmpllp-IBsDovPy6cOo/edit# Create a Root Inclusion Request]
# Fill in all of the fields in the MOZILLA tab
# Click on the "Submit to Root Store" button.
 
'''Important''':
* In the MOZILLA tab, click on the "Print View" button to see the data that will be shared publicly about your request.
* Click on the "Get URLs" button (which may be in the button overflow – upside down triangle) and copy the line that begins with “Mozilla Root Inclusion Case Information:” into a Comment in [[CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request|your Bugzilla Bug]]. The line to copy and paste into the Bugzilla Bug looks like:
**Mozilla Root Inclusion Case Information: https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00000341
* Whenever you update data in your Root Inclusion Case in the CCADB, be sure to [[CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request|add a comment to your Bugzilla Bug]] to let folks know to re-check the information.'''


== CA Primary Point of Contact (POC) ==
== CA Primary Point of Contact (POC) ==
In addition to the information listed in the template and example above, CA's must provide the contact information for at least one person filling the role of Primary Point of Contact (POC), and may use a contractor as one of the POCs. The CA must have one or more people within the CA’s organization who jointly have authority to speak on behalf of the CA, and to direct whatever changes the review process or Mozilla’s CA Communications require. At least one of the CA’s POCs should also be in a position to make commitments for the CA and be held accountable by the CA.  
Each CA organization in the CCADB must provide the contact information for at least one person filling the role of Primary Point of Contact (POC), as described in [https://www.ccadb.org/policy#2-contact-information section 2 of the CCADB Policy].
 
=== Provide or update POC information ===
* Create an [https://www.ccadb.org/cas/contacts "Add/Update Contacts"] case.
** Detailed Instructions: [https://docs.google.com/document/d/1QQ-wZYPJ_3p76Zc3RZPE929pKIResc5J4vjSGGi_NuE/edit?usp=sharing Add/Update Contacts]
* Provide the updates in the CONTACTS tab.
* Click on the "Submit to Root Store" button.


The POCs will:
=== Responsibilities of a Primary POC ===
* Provide [http://ccadb.org/cas/updates annual updates] of CP/CPS documents, audit statements, and test websites.
* Provide [http://ccadb.org/cas/updates annual updates] of CP/CPS documents, audit statements, and test websites.
* Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
* Respond to [https://wiki.mozilla.org/CA/Communications CA Communications]
* Input and maintain the CA’s data in the [http://ccadb.org/ Common CA Database (CCADB)]
* Input and maintain the CA’s data in the [https://www.ccadb.org/cas/ CCADB].
* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per  
* [mailto:certificates@mozilla.org Inform Mozilla] when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per  
** [http://ccadb.org/policy#2-contact-information Common CCADB Policy]
** [http://ccadb.org/policy#2-contact-information Section 2 of the CCADB Policy], and
** [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#8-ca-operational-changes Mozilla's Root Store Policy]
** [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#8-ca-operational-changes Section 8 of the Mozilla Root Store Policy].
* [mailto:certificates@mozilla.org Provide Mozilla] with updated contact information if a new person becomes a POC.
* Make sure the "CA Email Alias" field on the CA Owner page is correct.
** An email alias is being requested so that more than one person in your organization will receive notifications in case the primary contact is out of the office or leaves the organization.
** The CA Email Alias is updated via an "Add/Update Root Request" case.


Required contact information:
=== Authority ===
* Direct E-mail address, full name (first and last name), and phone number to a specific individual within the CA (must be one of the POCs).
If the CA uses a contractor as a POC, then someone at the CA must also be a POC for the CA Owner record in the CCADB, and the POC from the CA must be CC’d on the root inclusion Bugzilla bug.
* CA Email Alias: An email alias is being requested so that more than one person in your organization will receive notifications in case the primary contact is out of the office or leaves the organization. Mozilla CA Communications will be sent to both the POC direct email address(es) and the email alias.
* CA Phone Number: A main phone number from which Mozilla can reach the organization responsible for root certificates for the CA.
* Title / Department: If Mozilla needed to call your main phone number, what Title/Department should the Mozilla representative ask for?
If the CA uses a contractor as an additional POC, then someone at the CA must be CC’d on the root inclusion Bugzilla bug, CA Communications, and the CA’s responses to CA Communications.
* An individual within the CA must also get a Bugzilla account and comment in the bug to say that they will be a POC for the CA, and that the contractor has indeed been hired by the CA to act as one of the POCs.
* An individual within the CA must also get a Bugzilla account and comment in the bug to say that they will be a POC for the CA, and that the contractor has indeed been hired by the CA to act as one of the POCs.


To ensure that the POC(s) has the authority to perform the tasks listed above, a representative of Mozilla will do the following.
To ensure that the POC(s) has the authority to perform the tasks listed above, a representative of Mozilla may do the following.
# Use the CA’s website, to confirm that the domain in the email address of at least one of the POCs is owned by the CA (e.g. @CAname.com).
# Use the CA’s website to contact a person at the CA to confirm that the Primary POCs that have been provided do indeed have the authority to perform the responsibilities listed above on behalf of the CA.
# Use the CA’s website to contact a person at the CA to confirm that at least one of the POCs that have been provided does indeed have the authority to perform the responsibilities listed above on behalf of the CA.
# Use the CA’s website, to confirm that the domain in the email address of at least one of the Primary POCs is owned by the CA (e.g. @CAname.com).
# If a contractor is also used as a POC, then contact the POC that was previously verified to confirm that the CA has indeed enlisted the help of the contractor.
# If a contractor is also used as a Primary POC, then contact the Primary POC that was previously verified to confirm that the CA has indeed enlisted the help of the contractor.

Latest revision as of 22:35, 17 October 2023

Information checklist for CAs applying for inclusion in Mozilla

In order to support cryptographic applications, such as those that make TLS connections to web and other servers, and those that sign and encrypt/decrypt email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under such CAs and are associated with, e.g., web servers, and email senders.

Example and Template

The example and template below list the information that must be provided by the CA in their root inclusion or update request as per step 1 of Mozilla's Application Process.

Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via a Case in the CCADB and in a Bugzilla bug report. (Both must be created as they will reference each other.)

Adding Root Certificates and Creating Root Inclusion Cases

Access the CCADB

If your CA does not yet have access to the CCADB, then you may request access here:

Information and instructions for CAs about the CCADB are here:

Create an "Add/Update Root Request" case

CAs provide information about their CA organization and root certificates by creating an "Add/Update Root Request".

  1. Create an "Add/Update Root Request" case in the CCADB
  2. Add new root certificates to the case.
    • In the ROOT INFORMATION tab, click on the "Add/Select Root Certificates" button. Then click on the "Add Root Certificate to CCADB" button and paste the certificate PEM into the window and click on "Validate PEM". If validation is successful, click on the "Create Root Certificate in CCADB" button.
  3. Completely fill in the information in the five tabs of the "Add/Update Root Request" case: CA OWNER, AUDITS, POLICY DOCUMENTS, ROOT INFORMATION, and TEST WEBSITES.
  4. Click on the "Submit to Root Store" button.

Important:

  • Audit statements must meet the requirements listed in section 5.1 of the CCADB Policy and in section 3 of the Mozilla Root Store Policy.
  • CCADB automatically converts WebTrust Seal URLs into PDF URLs when you click on ‘Save’
  • In each audit statement section in the AUDITS tab, be sure to select "Applicable Root Certificates".
    • Click on the inverted triangle ("Edit") to select all of the root certificates covered by the audit.
  • If you are requesting that the Websites (TLS) trust bit be enabled for your root certificate(s), then be sure to provide the 3 test websites (valid, expired, revoked) in the TEST WEBSITES tab.
    • Click on the "Validate Test Websites" button, resolve all failures, then click on the "Re-run Validation" button to make sure all the websites have Status of PASS.
  • Add records to the CCADB for all existing intermediate certificates chaining up to the new root certificate(s).

Create a "Root Inclusion Request" Case

After you have provided information to the CCADB about your CA organization and root certificates, you may use a "Root Inclusion Request" case to request that your root certificate(s) be included in Mozilla's root store, update trust bit settings, and/or enable EV treatment.

  1. Create a "Root Inclusion Request" Case in the CCADB
  2. Fill in all of the fields in the MOZILLA tab
  3. Click on the "Submit to Root Store" button.

Important:

  • In the MOZILLA tab, click on the "Print View" button to see the data that will be shared publicly about your request.
  • Click on the "Get URLs" button (which may be in the button overflow – upside down triangle) and copy the line that begins with “Mozilla Root Inclusion Case Information:” into a Comment in your Bugzilla Bug. The line to copy and paste into the Bugzilla Bug looks like:
  • Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know to re-check the information.

CA Primary Point of Contact (POC)

Each CA organization in the CCADB must provide the contact information for at least one person filling the role of Primary Point of Contact (POC), as described in section 2 of the CCADB Policy.

Provide or update POC information

Responsibilities of a Primary POC

  • Provide annual updates of CP/CPS documents, audit statements, and test websites.
  • Respond to CA Communications
  • Input and maintain the CA’s data in the CCADB.
  • Inform Mozilla when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per
  • Make sure the "CA Email Alias" field on the CA Owner page is correct.
    • An email alias is being requested so that more than one person in your organization will receive notifications in case the primary contact is out of the office or leaves the organization.
    • The CA Email Alias is updated via an "Add/Update Root Request" case.

Authority

If the CA uses a contractor as a POC, then someone at the CA must also be a POC for the CA Owner record in the CCADB, and the POC from the CA must be CC’d on the root inclusion Bugzilla bug.

  • An individual within the CA must also get a Bugzilla account and comment in the bug to say that they will be a POC for the CA, and that the contractor has indeed been hired by the CA to act as one of the POCs.

To ensure that the POC(s) has the authority to perform the tasks listed above, a representative of Mozilla may do the following.

  1. Use the CA’s website to contact a person at the CA to confirm that the Primary POCs that have been provided do indeed have the authority to perform the responsibilities listed above on behalf of the CA.
  2. Use the CA’s website, to confirm that the domain in the email address of at least one of the Primary POCs is owned by the CA (e.g. @CAname.com).
  3. If a contractor is also used as a Primary POC, then contact the Primary POC that was previously verified to confirm that the CA has indeed enlisted the help of the contractor.
Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=CA/Information_Checklist&oldid=1248624"