Prioritization of Root CA Inclusion Requests

188 views
Skip to first unread message

Ben Wilson

unread,
Mar 24, 2021, 6:49:35 PM3/24/21
to mozilla-dev-security-policy
All,

I'd like to have you review the prioritization proposal below, which will
help us as we process CA inclusion requests. (
https://wiki.mozilla.org/CA/Application_Process)

Thanks,

Ben

-------------------

Prioritization of CA Root Inclusion Requests will be based on the factors
described below and use the P1-P5 Priority categories available in the
Bugzilla system with our own priority categorization for the CA root
inclusion program.

-

*P1 = High* (Applicant has good compliance history and is replacing an
already-included root)


-

*P2 = Medium High* (Applicant is well-prepared and responsive, with a
good history of policy compliance)


-

*P3 = Medium *(Applicant’s request and responsiveness are “average”, but
demonstrates compliance with policies)


-

*P4 = Medium Low* (Applicant’s responsiveness and compliance history are
“average”)


-

*P5 = Low *(Applicant has much work to do, is slow to respond to
requests, or has not demonstrated full compliance with policies)

Factors assessed in setting the above-referenced priorities, in order of
importance, are:

1 - Alignment with Mozilla Manifesto -
https://www.mozilla.org/en-US/about/manifesto/

2 - Compliance (Based on the compliance history of existing CA operators,
and their responsiveness to issues)
https://wiki.mozilla.org/CA/Incident_Dashboard

3 - Replacing Existing (Existing CA operators that are replacing an
already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process

4 - Responsiveness/Complete and Timely (Applicant provides clear,
complete, concise and timely responses to questions, comments, or concerns
about their root inclusion request)

5 - Single-Purpose, Separate Roots (Hierarchies that are separated by root
for a particular purpose)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy

6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully
controlled by the applicant)
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates


7 - Completeness (Applicant completes all information in CCADB)
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case

8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s
Root Store Policy and the CAB Forum Baseline Requirements)
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS


9 - Updating Trust Bits or EV-Enablement of Already-Included Root
Certificate (Existing CAs that are only requesting EV enablement or adding
a trust bit to an already-included root certificate)
https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV

10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for
Discussion”)
https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review

Ben Wilson

unread,
Mar 30, 2021, 6:43:50 PM3/30/21
to mozilla-dev-security-policy
For future reference, this is now posted here:
https://wiki.mozilla.org/CA/Prioritization.
Reply all
Reply to author
Forward
0 new messages