Hi Kathleen, Is the same process used for existing CAs that need to add a new root and new CAs applying for the first time?
Doug > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Kathleen > Wilson via dev-security-policy > Sent: Tuesday, January 9, 2018 7:24 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Changes to CA Program - Q1 2018 > > All, > > I would like to thank Aaron Wu for all of his help on our CA Program, and am > sorry to say that his last day at Mozilla will be January 12. I have > appreciated all > of Aaron’s work, and it has been a pleasure to work with him. > > I will be re-assigning all of the root inclusion/update Bugzilla Bugs back to > me, > and I will take back responsibility for the high-level verification of the CA- > provided data for root inclusion/update requests. > I will also take back responsibility for verifying CA annual updates, and we > will > continue to work to improve that process and automation via the CCADB. > > Wayne Thayer, Gerv Markham, and Ryan Sleevi have already taken > responsibility for the CA Incident bugs > (https://wiki.mozilla.org/CA/Incident_Dashboard). Thankfully, many of you > members of the CA Community are helping with this effort. > > Wayne and Devon O’Brien will take responsibility for ensuring that thorough > reviews of CA root inclusion/update requests happen (see below), and Wayne > will be responsible for the discussion phase of CA root inclusion/update > requests. We greatly appreciate all of the input that you all provide during > the > discussions of these requests, and are especially grateful for the thorough > reviews that have been performed and documented, with special thanks to > Ryan Sleevi, Andrew Whalley, and Devon O’Brien. > > I think this is a good time for us to make some changes to Mozilla’s Root > Inclusion Process to improve the effectiveness of the public discussion phase > by > performing the detailed CP/CPS review prior to the public discussion. The > goal of > this change is to focus the discussion period on gathering community input and > to allow the process to continue when no objections are raised. > > As such, I propose that we make the following changes to > https://wiki.mozilla.org/CA/Application_Process#Process_Overview > > ~~ PROPOSED CHANGES ~~ > > Step 1: A representative of the CA submits the request via Bugzilla and > provides > the information a listed in https://wiki.mozilla.org/CA/Information_Checklist. > > * Immediate change: None > > * Future change: CAs will directly input their Information Checklist data > into the > CCADB. > All root inclusion/update requests will begin with a Bugzilla Bug, as we do > today. > However, we will create a process by which CAs will be responsible for > entering > and updating their own data in the CCADB for their request. > > Step 2: A representative of Mozilla verifies the information provided by the > CA. > > * Immediate change: None > This will continue to be a high-level review to make sure that all of the > required > data has been provided, per the Information Checklist, and that the required > tests have been performed. > > * Future change: Improvements/automation in CCADB for verifying this data. > > Step 3: A representative of Mozilla adds the request to the queue for public > discussion. > > * Immediate change: Replace this step as follows. > NEW Step 3: A representative of Mozilla or of the CA Community (as agreed by a > Mozilla representative) thoroughly reviews the CA’s documents, and adds a > Comment in the Bugzilla Bug about their findings. > If the CA has everything in order, then the Comment will be that the request > may proceed, and the request will be added to the queue for public discussion. > Otherwise the Comment will list actions that the CA must complete. This may > include, but is not limited to fixing certificate content, updating process, > updating the CP/CPS, and obtaining new audit statements. The list of actions > will > be categorized into one of the following 3 groups: > --- 1: Must be completed before this request may proceed. > --- 2: Must be completed before this request may be approved, but the > request > may continue through the public discussion step in parallel with the CA > completing their action items. > --- 3: Must be completed before the CA’s next annual audit, but the request > may continue through the rest of the approval/inclusion process. > > Step 4: Anyone interested in the CA's application participates in discussions > of CA > requests currently in discussion in the mozilla.dev.security.policy forum. > > * Immediate Change: Delete this step from the wiki page, because it is a > general > statement that does not belong here. > > Step 5: When the application reaches the head of the queue, a representative > of > Mozilla starts the public discussion for the CA in the > mozilla.dev.security.policy > forum. > We prefer that at least two independent parties review and comment upon each > application. > > * Immediate change: Due to the change in Step 3, this step becomes more of a > time-limited comment period, during which CA Community members may raise > concern or questions. But if no one posts any concerns in the discussion > forum, > then that will be interpreted as meaning that the CA Community does not have > concern about the request. So, after the specified time, if no concerns are > raised, then the discussion will be closed, and the request will move on to > the > approval phase. > NEW Step 5: When the application reaches the head of the queue, a > representative of Mozilla starts the public discussion for the CA in the > mozilla.dev.security.policy forum, stating Mozilla’s intent to approve the > request and initiating a 3 week comment period. If no concerns are raised > during that time period, then the representative of Mozilla will close the > discussion and the request may proceed to the approval phase. > > Step 6 - no change > > Step 7 - add sub-bullet: > * A discussion may be extended beyond the initial comment period if concerns > or questions are raised that require further attention. > > Steps 8-20 - no change > > ~~ > > I will appreciate constructive feedback on this. > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy