All,
It has been brought to my attention that we do not have a documented
procedure or policy about how to transfer a root certificate from one CA
to another.
Do we need to add expectations about root cert transfers to Mozilla's CA
Certificate Policy?
I think, at the minimum, we should add information about our
expectations to one of our process wiki pages, or maybe this needs its
own wiki page?
Here's what I usually tell CAs when they ask:
1) I recommend creating a transfer agreement and have it reviewed by the
auditors for both the current and the new CA.
2) New cert issuance (at the current CA's site) should be stopped before
the transfer begins.
3) There should be an audit performed at the current CA's site to
confirm when the root certificates is ready for transfer.
4) Before the new CA begins issuing certs in the transferred CA cert
hierarchy, there should be an audit performed at the new CA's site to
confirm that the transfer was successful and that the root cert is ready
to resume issuance.
5) The regular annual audit statements are still expected to happen
within a timely manner, or the root cert may be removed.
6) Keep the Mozilla CA Certificate Module Owner appraised of the status
of these steps, and inform immediately if a problem occurs.
I will appreciate your thoughtful and constructive input on this topic.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
