CA/Audit Letter Validation: Difference between revisions
(continued drafting) |
(continued drafting) |
||
Line 14: | Line 14: | ||
= Intermediate Certificates = | = Intermediate Certificates = | ||
CAs are required to update the audit | CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, directly update the corresponding record in the CCADB then click on the "Audit Letter Validation [ALV]" button. | ||
== ALV on Intermediate Certificate Records == | == ALV on Intermediate Certificate Records == | ||
The following two fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run. | |||
# Standard Audit ALV Found Cert | |||
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the standard audit statement. | |||
# BR Audit ALV Found Cert | |||
#* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list. | |||
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement. | |||
== CA Task List == | == CA Task List == | ||
== Resolve ALV Findings in Intermediate Certificate == | == Resolve ALV Findings in Intermediate Certificate == | ||
= Background = | = Background = |
Revision as of 19:10, 3 January 2020
The Common CA Database (CCADB) uses an Audit Letter Validation (ALV) tool to automatically parse and validate audit statements. This system eliminates manual processing, but it requires audit statements to follow some basic rules in order to function properly.
- Audit Statement Requirements and Format Rules - If an audit statement fails to meet any of these requirements, the CA will be asked to work with their auditor to provide an audit statement that passes ALV.
Root Certificates
CAs are required to update the audit, CP, CPS and test website information for their certificate hierarchies at least annually. To provide this information for root certificates, create one Audit Case in the CCADB for a particular set of audits (e.g. Standard Audit, BR audit, EV Audit). Then create a set of corresponding Root Cases, one per root certificate, to tell the CCADB which Root Certificate records the audit statements in that Audit Case apply to.
Common ALV Findings
Resolve ALV Findings in Audit Case
Intermediate Certificates
CAs are required to update the audit and CP/CPS for their non-technically-constrained intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, directly update the corresponding record in the CCADB then click on the "Audit Letter Validation [ALV]" button.
ALV on Intermediate Certificate Records
The following two fields are set by running ALV on an intermediate certificate record in the CCADB. CAs may cause ALV to be run on the record by clicking on the "Audit Letter Validation [ALV]" button. Additionally CCADB has automated processes that will regularly check for intermediate certificate records that need to have ALV run.
- Standard Audit ALV Found Cert
- This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the standard audit statement.
- BR Audit ALV Found Cert
- This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list.
- This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement.
CA Task List
Resolve ALV Findings in Intermediate Certificate
Background
Subordinate CAs who operate non-technically-constrained intermediate certificates have the keys to the internet just as much as the CAs who have root certificates directly included in Mozilla's root store. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-technically-constrained intermediate certificates.
There are currently about 150 root certificates in Mozilla's root store , which leads to about 2,500 intermediate certificates that are trusted by Mozilla's root store. To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-technically-constrained intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.