All,
Here is a DRAFT CA Communication that I would like to send next week. I
will greatly appreciate your thoughtful and constructive feedback on it.
Previous CA Communications: https://wiki.mozilla.org/CA:Communications
** DRAFT CA Communication **
Subject: Mozilla Communication: Action requested by <date>
Dear Certification Authority,
This note requests a set of actions on your behalf, as a participant in
Mozilla's CA Certificate Program. Please reply by <date>, with your
response to these action items. A compiled list of CA responses to the
following action items will be published.
Mozilla's CA Certificate Inclusion Policy:
http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/
Mozilla's spreadsheet of included root certificates:
http://www.mozilla.org/about/governance/policies/security-group/certs/included/
1) Ensure that Mozilla’s spreadsheet of included root certificates has
the correct link to your most recent audit statement, and that the date
of the audit statement is correct. As per Mozilla's CA Certificate
Policy, we require that all CAs whose certificates are distributed with
our software products provide us an updated statement annually of
attestation of their conformance to the stated verification requirements
and other operational criteria by a competent independent party or parties.
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct
link to our most recent audit statement, and the audit statement date is
correct.
B) Here is the most recent audit statement for our certificates that are
included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current audit statement by <insert date
here>.
2) Send Mozilla the link to your most recent Baseline Requirements audit
statement. Details about Mozilla's audit requirements are listed in
section 11 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct
link to our most recent Baseline Requirements audit statement.
B) Here is the most recent Baseline Requirements audit statement for our
certificates that are included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current Baseline Requirements audit
statement by <insert date here>.
D) The websites (SSL/TLS) trust bit is not enabled for our certificates
that are included in Mozilla's CA program.
3) Test Mozilla's new Certificate Verification library with your CA
hierarchies and inform your customers of the upcoming changes as needed.
The new Certificate Verification library (mozilla::pkix) was announced
here:
https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
Mozilla::pkix includes some changes in support of current best practices
and policies, as listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
How to test:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing
Please respond with one of the following:
A) We have tested certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and found that the certificates in our
CA hierarchies are not impacted by the changes introduced in mozilla::pkix.
B) We have found the following issues when testing certificates in our
CA hierarchy with mozilla::pkix. <descriptions or Bugzilla bug numbers,
related URLs and/or certificates>
C) We are testing certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and plan to send Mozilla our results
by <insert date here, must be before June 30, 2014>.
4) Check your certificate issuance to confirm that no new certificates
will be issued with the problems listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Please respond with one of the following:
A) We have not and will not issue certificates with the problems listed
in the mozpkix-testing#Things_for_CAs_to_Fix wiki page.
B) We have previously issued certificates with the following problems
listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page: <list the
problems that needed to be fixed>. The last of those certificates expire
<insert dates here>. We will not issue new certificates with the
problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page
as of this date: <date when your operations will be updated, no later
than June 30, 2014>
5) Send Mozilla information about your publicly disclosed intermediate
certificates that chain up to certificates in Mozilla's CA program, as
per Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) All intermediate certificates chaining up to our certificates in
Mozilla's CA program are either included in our annual audits and listed
in our annual audit statements, or are technically constrained according
to section 9 of Mozilla's CA Certificate Inclusion Policy.
B) The required information, according to section 10 of Mozilla's CA
Certificate Inclusion Policy, is available here: <URL to a web page, or
Bugzilla Bug Number>.
Participation in Mozilla's CA Certificate Program is at our sole
discretion, and we will take whatever steps are necessary to keep our
users safe. Nevertheless, we believe that the best approach to safeguard
that security is to work with CAs as partners, to foster open and frank
communication, and to be diligent in looking for ways to improve.
Thank you for your cooperation in this pursuit.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
** END DRAFT **
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
