On 4/29/14, 3:44 AM, Gervase Markham wrote:
On 28/04/14 20:04, Kathleen Wilson wrote:
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct
link to our most recent audit statement, and the audit statement date is
correct.
B) Here is the most recent audit statement for our certificates that are
included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current audit statement by <insert date
here>.
"... We have identified and resolved the process problem which led to us
not supplying this information in a timely manner"?
Do we want to put something in giving the mechanism by which we would
prefer to be pushed this information on a yearly basis? Is it email to you?
Added text to the action item...
"1) Ensure that Mozilla’s spreadsheet of included root certificates has
the correct link to your most recent audit statement, and that the date
of the audit statement is correct. As per Mozilla's CA Certificate
Maintenance Policy, we require that all CAs whose certificates are
distributed with our software products provide us an updated statement
annually of attestation of their conformance to the stated verification
requirements and other operational criteria by a competent independent
party or parties. To notify us of an updated statement of attestation,
send email to [email protected] or submit a bug report into the
mozilla.org Bugzilla system, filed against the "CA Certificates"
component of the "mozilla.org" product.
If you are not proactively sending Mozilla your updated audit
statements, please create a process to do so."
2) Send Mozilla the link to your most recent Baseline Requirements audit
statement. Details about Mozilla's audit requirements are listed in
section 11 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct
link to our most recent Baseline Requirements audit statement.
B) Here is the most recent Baseline Requirements audit statement for our
certificates that are included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current Baseline Requirements audit
statement by <insert date here>.
D) The websites (SSL/TLS) trust bit is not enabled for our certificates
that are included in Mozilla's CA program.
Same addendum as above, for B and/or C?
Added text to the action item...
"2) Send Mozilla the link to your most recent Baseline Requirements
audit statement. Details about Mozilla's audit requirements are listed
in section 11 of Mozilla's CA Certificate Inclusion Policy. The BR audit
statement should also be proactively sent to Mozilla each year, along
with the other audit statements as described in action #1."
Please respond with one of the following:
A) We have tested certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and found that the certificates in our
CA hierarchies are not impacted by the changes introduced in mozilla::pkix.
B) We have found the following issues when testing certificates in our
CA hierarchy with mozilla::pkix. <descriptions or Bugzilla bug numbers,
related URLs and/or certificates>
C) We are testing certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and plan to send Mozilla our results
by <insert date here, must be before June 30, 2014>.
You might note that they should particularly make sure to check EV
status, and to check chains through all currently-used intermediates.
Perhaps this could be noted on the testing page itself, though.
Added to the wiki page
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing
"Note to CAs: Be sure to check EV status, and check chains through all
currently-used intermediate certs."
4) Check your certificate issuance to confirm that no new certificates
will be issued with the problems listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
If we are sending out a wiki URL, we should link to a particular
historical version so the CAs have a stable target. E.g.:
https://wiki.mozilla.org/index.php?title=SecurityEngineering/mozpkix-testing&oldid=970104
Otherwise, if that page gets edited, and they say "item 5", you might
not know what they were referring to.
Good point, but I have concerns about doing that. Hopefully the "Things
for CAs to Fix" section won't be changing much.
Please respond with one of the following:
A) We have not and will not issue certificates with
....any of...
added.
the problems listed
in the mozpkix-testing#Things_for_CAs_to_Fix wiki page.
B) We have previously issued certificates with the following problems
listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page: <list the
problems that needed to be fixed>. The last of those certificates expire
<insert dates here>.
One date per problem.
added.
We will not issue new certificates with the
problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page
as of this date: <date when your operations will be updated, no later
than June 30, 2014>
Does the list on that wiki page need to include the Microsoft equivalent
of the SGC EKU? Or are we not mentioning that?
Yes, it's item #1 in the "Things for CAs to Fix" section.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
