> On 4/23/15 4:21 PM, Kathleen Wilson wrote:
> > All,
> >
> > It has been brought to my attention that we do not have a documented
> > procedure or policy about how to transfer a root certificate from one CA
> > to another.
> >
> > Do we need to add expectations about root cert transfers to Mozilla's CA
> > Certificate Policy?
> >
> > I think, at the minimum, we should add information about our
> > expectations to one of our process wiki pages, or maybe this needs its
> > own wiki page?
> >
> > Here's what I usually tell CAs when they ask:
> >
> > 1) I recommend creating a transfer agreement and have it reviewed by the
> > auditors for both the current and the new CA.
> >
> > 2) New cert issuance (at the current CA's site) should be stopped before
> > the transfer begins.
> >
> > 3) There should be an audit performed at the current CA's site to
> > confirm when the root certificates is ready for transfer.
> >
> > 4) Before the new CA begins issuing certs in the transferred CA cert
> > hierarchy, there should be an audit performed at the new CA's site to
> > confirm that the transfer was successful and that the root cert is ready
> > to resume issuance.
> >
> > 5) The regular annual audit statements are still expected to happen
> > within a timely manner, or the root cert may be removed.
> >
> > 6) Keep the Mozilla CA Certificate Module Owner appraised of the status
> > of these steps, and inform immediately if a problem occurs.
> >
> >
> > I will appreciate your thoughtful and constructive input on this topic.
> >
> > Kathleen
>
>
> Things to add:
>
> 7) The new CA must follow Mozilla's policy, and provide public-facing
> CP/CPS documentation and audit statements. So, the new CA has to send
> Mozilla the URLs to those.
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
>
> 8) The agreement between the current and new CAs should take the trust
> bit settings into account (Websites (SSL/TLS), Email (S/MIME), and Code
> Signing), and the current and new CAs should inform Mozilla's CA
> Certificate Module Owner if one or more of the trust bits should be
> turned off. Of course, to turn a trust bit on requires the new CA to go
> through Mozilla's root change process -
> https://wiki.mozilla.org/CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root
>
> Kathleen
Also I am thinking to make sure the key material is properly secured when the
root is being transferred.
Yuhong Bao
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
