info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Prioritization of Root CA Inclusion Requests
366 views
Skip to first unread message
Ben Wilson
Mar 24, 2021, 6:49:35 PM3/24/21
to mozilla-dev-security-policy
All,
I'd like to have you review the prioritization proposal below, which will
help us as we process CA inclusion requests. (
https://wiki.mozilla.org/CA/Application_Process)
Thanks,
Ben
-------------------
Prioritization of CA Root Inclusion Requests will be based on the factors
described below and use the P1-P5 Priority categories available in the
Bugzilla system with our own priority categorization for the CA root
inclusion program.
-
*P1 = High* (Applicant has good compliance history and is replacing an
already-included root)
-
*P2 = Medium High* (Applicant is well-prepared and responsive, with a
good history of policy compliance)
-
*P3 = Medium *(Applicant’s request and responsiveness are “average”, but
demonstrates compliance with policies)
-
*P4 = Medium Low* (Applicant’s responsiveness and compliance history are
“average”)
-
*P5 = Low *(Applicant has much work to do, is slow to respond to
requests, or has not demonstrated full compliance with policies)
Factors assessed in setting the above-referenced priorities, in order of
importance, are:
1 - Alignment with Mozilla Manifesto -
https://www.mozilla.org/en-US/about/manifesto/
2 - Compliance (Based on the compliance history of existing CA operators,
and their responsiveness to issues)
https://wiki.mozilla.org/CA/Incident_Dashboard
3 - Replacing Existing (Existing CA operators that are replacing an
already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process
4 - Responsiveness/Complete and Timely (Applicant provides clear,
complete, concise and timely responses to questions, comments, or concerns
about their root inclusion request)
5 - Single-Purpose, Separate Roots (Hierarchies that are separated by root
for a particular purpose)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy
6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully
controlled by the applicant)
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates
7 - Completeness (Applicant completes all information in CCADB)
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s
Root Store Policy and the CAB Forum Baseline Requirements)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS
9 - Updating Trust Bits or EV-Enablement of Already-Included Root
Certificate (Existing CAs that are only requesting EV enablement or adding
a trust bit to an already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV
10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for
Discussion”)
https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review
I'd like to have you review the prioritization proposal below, which will
help us as we process CA inclusion requests. (
https://wiki.mozilla.org/CA/Application_Process)
Thanks,
Ben
-------------------
Prioritization of CA Root Inclusion Requests will be based on the factors
described below and use the P1-P5 Priority categories available in the
Bugzilla system with our own priority categorization for the CA root
inclusion program.
-
*P1 = High* (Applicant has good compliance history and is replacing an
already-included root)
-
*P2 = Medium High* (Applicant is well-prepared and responsive, with a
good history of policy compliance)
-
*P3 = Medium *(Applicant’s request and responsiveness are “average”, but
demonstrates compliance with policies)
-
*P4 = Medium Low* (Applicant’s responsiveness and compliance history are
“average”)
-
*P5 = Low *(Applicant has much work to do, is slow to respond to
requests, or has not demonstrated full compliance with policies)
Factors assessed in setting the above-referenced priorities, in order of
importance, are:
1 - Alignment with Mozilla Manifesto -
https://www.mozilla.org/en-US/about/manifesto/
2 - Compliance (Based on the compliance history of existing CA operators,
and their responsiveness to issues)
https://wiki.mozilla.org/CA/Incident_Dashboard
3 - Replacing Existing (Existing CA operators that are replacing an
already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process
4 - Responsiveness/Complete and Timely (Applicant provides clear,
complete, concise and timely responses to questions, comments, or concerns
about their root inclusion request)
5 - Single-Purpose, Separate Roots (Hierarchies that are separated by root
for a particular purpose)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy
6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully
controlled by the applicant)
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates
7 - Completeness (Applicant completes all information in CCADB)
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s
Root Store Policy and the CAB Forum Baseline Requirements)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS
9 - Updating Trust Bits or EV-Enablement of Already-Included Root
Certificate (Existing CAs that are only requesting EV enablement or adding
a trust bit to an already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV
10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for
Discussion”)
https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review
Ben Wilson
Mar 30, 2021, 6:43:50 PM3/30/21
to mozilla-dev-security-policy
0 new messages