Mozilla has started using the Common CA Database to track root certificates in its root program, and the intermediate certificates which chain up to those roots. This has led to substantial changes to the practical processes that CAs must follow. In addition, it is hoped and anticipated that other root stores will take advantage of the CCADB.
It is proposed that we dealing with this from a policy perspective by doing the following: 1) drafting a "Common CCADB Policy", which explains what CAs who are required by their root stores to use the CCADB must do. (This is as distinct from how they do it, which would be in some separately-maintained manual on how to use the system.) Although no other root store has yet signed on to this document, the idea would be that it would be agreed and shared across all root stores using the CCADB, so that CAs would not need to deal with multiple differently-worded sets of requirements on what they were required to do in the system. 2) In addition, each root store would have a store-specific CCADB Policy, which would detail the store-specific requirements on CAs using the CCADB. Examples might include giving store contact information, or defining special processes to follow for a security incident in addition to those in the main CCADB policy. 3) The CCADB policy would be incorporated by reference into the main root store policy, using wording something like this: > RootStoreName uses the <a>Common CA Database</a> (CCADB). CAs in the > program are required to use the CCADB, and are bound by the <a>Common > CCADB Policy v.X.X</a> and the <a>RootStoreName CCADB Policy > v.Y.Y</a>, which are incorporated here by reference. 4) The Mozilla root store policy also needs updating to remove any content which is duplicated in the CCADB policies. We must also remove out-of-date processes and procedures (e.g. Bugzilla-based ones) for making updates, and replace those with references to the CCADB. (Note, however, that the process for initial inclusion is still Bugzilla-based.) 5) We will need to update the CCADB-related pages on the Mozilla wiki to disentangle and remove policy bits from the operational bits, and turn it solely into a manual for how to use the system. (This has not yet been attempted.) There is a branch in the Github repo which adds a draft of the Common CCADB Policy (again note that, despite the name, only Mozilla has signed up to this document for now), the Mozilla CCADB Policy, and makes the necessary changes to the main root store policy. You can find all of that here: https://github.com/mozilla/pkipolicy/compare/issue-9 This is: https://github.com/mozilla/pkipolicy/issues/9 ------- This is a proposed update to Mozilla's root store policy for version 2.4. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.3 (current version): https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
