Summary
The operator of a Mozilla-trusted root CA is at all times completely and ultimately accountable for every certificate signed under the root CA, whether directly or through subordinate CAs or cross-certified CAs. It is responsible to ensure that the subCA fully and continually complies with requirements.
When a root CA intends to sign an externally operated subordinate CA (subCA) certificate, it is responsible for collecting information and performing due diligence that meets or exceeds that performed by Mozilla on root inclusion requests, and for initiating the public discussion on the Mozilla dev-security-policy mailing list. Following public discussion, the Mozilla CA Program Manager will determine whether or not the subordinate CA will be accepted, and update the corresponding CCADB record to indicate the result.
The process outlined herein applies to subCA operators not already in the Mozilla root program. A different procedure would be followed, for instance, when two CA operators already in the Mozilla root program are creating a cross certificate for interoperability or ubiquity.
Applicable Policy Provisions
Section 8 of the Mozilla Root Store Policy (MRSP) requires that root CA operators notify Mozilla when a new third party is going to operate a trusted CA outside of the confines of the CA operator’s existing operations.
According to Section 8 of the Mozilla Root Store Policy,
CAs SHOULD NOT assume that trust is transferable. All CAs whose certificates are included in Mozilla's root program MUST notify Mozilla if: . . . an organization other than the CA obtains control of an unconstrained intermediate certificate (as defined in section 5.3.2 of this policy) that directly or transitively chains to the CA's included certificate(s) . . . . CAs should err on the side of notification if there is any doubt. Mozilla will normally keep commercially sensitive information confidential. Throughout any change, CA operations MUST continue to meet the requirements of this policy. . . . CAs are encouraged to notify in advance in order to avoid unfortunate surprises.
Mozilla Root Store Policy section 8.1 states:
If the receiving or acquiring company is new to the Mozilla root program, it must demonstrate compliance with the entirety of this policy and there MUST be a public discussion regarding their admittance to the root program, which Mozilla must resolve with a positive conclusion in order for the affected certificate(s) to remain in the root program. If the entire CA operation is not included in the scope of the transaction, issuance is not permitted until the discussion has been resolved with a positive conclusion.
Process Overview
Information gathering, due diligence, and public discussion should all happen before the signing of the subCA certificate. Prior to signing the subCA, the root CA operator should collect and verify the required documentation, as set forth in the numbered list below.
The public discussion phase should also occur prior to the signing of the subCA. However, current policy permits public discussion to occur following signing.
In either case, Mozilla’s prior approval is required because discussion must be “resolved with a positive conclusion” before issuance of end entity certificates.
In any event, public disclosure of the subCA in the CCADB must occur within one week as required by MRSP § 5.3.2. Part of the disclosure involves indicating whether the subCA is covered by the same audits as the parent CA or whether it has a separate audit.
Required Documentation
Before subCA creation or at the latest one week following subCA creation, a bug should be created in Bugzilla under the NSS Product with a component of “CA Certificate Root Program”.
The root CA operator must submit an auditor’s key generation report for the key pair that is signed by the root CA. It is also the root CA operator’s obligation to provide audit statements for the subCA. The key generation report and relevant audit statement(s) should be uploaded to the bug in Bugzilla and referenced in the subCA’s record in the CCADB.
SubCA audits should follow the same audit rules as for root CAs. If the subCA is new, it need only supply a type-1 (point-in-time) audit statement to Mozilla prior to approval. The new subCA certificate must appear in subsequent type-2 (period-of-time) audit statements, but is not required to appear on the statements submitted to Mozilla for approval, so long as the root CA asserts that the subCA will be operated within the scope of the supplied audit statements. For more information, see Mozilla’s Policy about Third-Party Subordinate CAs.
Prior to public discussion, the root CA operator must confirm that it has verified all of the following information, which must be provided when the root CA operator starts the public discussion in Mozilla’s dev-security-policy mailing list.
External Third Party’s Full Legal Name
External Third Party’s Website URL
Expected CA hierarchy under the subCA
Audits - If the root CA audits do not include the SHA256 hash for this subCA, then provide a publishable statement or letter from an auditor that meets the requirements of Mozilla's Root Store Policy.
Links to the subCA’s current CP/CPS
The CA must review the subCA’s CP/CPS for required and prohibited practices.
After a minimum of 3 weeks have passed, a Mozilla representative will announce a one-week “last call” for objections. Mozilla may determine to extend public discussion, or approve or reject the subCA. If the subCA is approved, Mozilla will indicate in the appropriate fields of the CCADB that the public discussion process has taken place and that it has been approved as an externally operated CA. Issuance of end entity certificates from the subCA may then commence. If the subCA is rejected, then any existing subCA certificate will be added to OneCRL.
Process Overview
Information gathering, due diligence, and public discussion should all happen before the signing of the subCA certificate. Prior to signing the subCA, the root CA operator should collect and verify the required documentation, as set forth in the numbered list below.
The public discussion phase should also occur prior to the signing of the subCA. However, current policy permits public discussion to occur following signing.
In either case, Mozilla’s prior approval is required because discussion must be “resolved with a positive conclusion” before issuance of end entity certificates.
Required Documentation
Before subCA creation or at the latest one week following subCA creation, a bug should be created in Bugzilla under the NSS Product with a component of “CA Certificate Root Program”.
SubCA audits should follow the same audit rules as for root CAs. If the subCA is new, it need only supply a type-1 (point-in-time) audit statement to Mozilla prior to approval. The new subCA certificate must appear in subsequent type-2 (period-of-time) audit statements, but is not required to appear on the statements submitted to Mozilla for approval, so long as the root CA asserts that the subCA will be operated within the scope of the supplied audit statements. For more information, see Mozilla’s Policy about Third-Party Subordinate CAs.
After a minimum of 3 weeks have passed, a Mozilla representative will announce a one-week “last call” for objections. Mozilla may determine to extend public discussion, or approve or reject the subCA. If the subCA is approved, Mozilla will indicate in the appropriate fields of the CCADB that the public discussion process has taken place and that it has been approved as an externally operated CA. Issuance of end entity certificates from the subCA may then commence. If the subCA is rejected, then any existing subCA certificate will be added to OneCRL.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210619000921.GB5902%40hezmatt.org.