DRAFT - BR Self Assessments

[Kathleen Wilson]

All,

As mentioned in the GDCA discussion[1], I would like to add a step to Mozilla's CA Inclusion/Update Request Process[2] in which the CA performs a self-assessment about their compliance with the CA/Browser Forum's Baseline Requirements.

A draft of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Here's how I am considering introducing this new step. Of course, this only applies to CAs who are requesting the Websites trust bit.

+ For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.

+ For CAs currently in the Information Verification phase, I would ask them to perform this BR Self Assessment before we would continue with Information Verification.

+ For new requests, we would have the BR Self Assessment be the very first step.


I would greatly appreciate your feedback on adding this step to the root inclusion/update process, the wiki page draft, and the template.


Thanks,
Kathleen

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/kB2JrygK7Vk/Kk7Le2F7CQAJ
[2] https://wiki.mozilla.org/CA

[Jeremy Rowley]

Hi Kathleen,

This is a good idea, and I like the phased-in approach. The mapping exercise
is similar to how other communities evaluate inclusion requests and makes it
more apparent how the CA is complying with the various Mozilla requirements.
An extension on this could be to have CAs annually file an updated mapping
with their WebTrust audit. That way it's a reminder that the CA needs to
notify Mozilla of changes in their process and keeps the CAs thinking about
updating practices to stay in-line with the baseline requirements. Plus, a
practice like that would provide better notice to the public on CA policy
changes and how CAs are responding to new threats.

Jeremy

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Kathleen Wilson]

On Wednesday, March 29, 2017 at 2:00:05 PM UTC-7, Jeremy Rowley wrote:
> ...

> An extension on this could be to have CAs annually file an updated mapping
> with their WebTrust audit. That way it's a reminder that the CA needs to
> notify Mozilla of changes in their process and keeps the CAs thinking about
> updating practices to stay in-line with the baseline requirements. Plus, a
> practice like that would provide better notice to the public on CA policy
> changes and how CAs are responding to new threats.
>

Oh! I like that idea!

The timing is good, as we are just now switching over to the new annual process:
https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates

I could also say something about it in the CA Communication we are getting ready to send.

Does anyone see a reason why we should *not* require a new BR-self-assessment annually from every CA with the Websites trust bit enabled?

I think CAs could just attach it to their original root inclusion bug each year.

Kathleen

[Kathleen Wilson]

I updated https://wiki.mozilla.org/CA:BRs-Self-Assessment to add a section called 'Annual BR Self Assessment', which states:
"CAs with included root certificates that have the Websites trust bit set must do an annual self-assessment of their compliance with the BRs, and must update their CP and CPS documents at least once every year."

I added a section about this to the root inclusion/update Information Checklist:
https://wiki.mozilla.org/CA:Information_checklist#Baseline_Requirements_Self_Assessement

And I updated ACTION 2 of the CA Communication
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o000003WrzBC
to include a link to this.

Thanks,
Kathleen

[wangs...@gmail.com]

在 2017年4月4日星期二 UTC+8上午1:47:34，Kathleen Wilson写道：

Hi Kathleen

We have a question about completing the BR self assessment, is it necessary that all the BRs requirements appear in relevant sections of the CP/CPS? Or for some BRs requirements that are not specifically disclosed in the CP/CPS, CAs can explain their rules and practices to show that they meet or exceed these requirements?
Thanks.

[Kathleen Wilson]

On Saturday, April 22, 2017 at 5:25:35 AM UTC-7, wangs...@gmail.com wrote:
> We have a question about completing the BR self assessment, 
> is it necessary that all the BRs requirements appear in 
> relevant sections of the CP/CPS? 

It is OK if the information is in different sections in the CP/CPS, just be sure to indicate which sections of the CP/CPS the information is in.

> Or for some BRs requirements that are not specifically 
> disclosed in the CP/CPS, CAs can explain their rules and 
> practices to show that they meet or exceed these requirements?

Per section 3.3 Mozilla's CA Certificate Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
"We rely on publicly disclosed documentation (e.g., in a Certificate Policy and Certification Practice Statement) to ascertain that our requirements are met."

So, for the most part, the information must be available in publicly disclosed documentation that is available on the CA's website. And in the BR Self Assessment you need to clearly indicate which document and which section of the document shows that your CA meets the BR.

There are items, such as the three test websites, that we can verify directly, so those items do not need to be in the CP/CPS documents.

When you are doing your BR Self Assessment, if you find that the required information is not currently in your CP/CPS documents, then you may indicate what your CA currently does, how it is currently documented, that the next version of your CP/CPS will contain this information, and when the next version of your CP/CPS will be available.

Kathleen