On 4/23/2015 4:21 PM, Kathleen Wilson wrote: > All, > > It has been brought to my attention that we do not have a documented > procedure or policy about how to transfer a root certificate from one CA > to another. > > Do we need to add expectations about root cert transfers to Mozilla's CA > Certificate Policy? > > I think, at the minimum, we should add information about our > expectations to one of our process wiki pages, or maybe this needs its > own wiki page? > > Here's what I usually tell CAs when they ask: > > 1) I recommend creating a transfer agreement and have it reviewed by the > auditors for both the current and the new CA. > > 2) New cert issuance (at the current CA's site) should be stopped before > the transfer begins. > > 3) There should be an audit performed at the current CA's site to > confirm when the root certificates is ready for transfer. > > 4) Before the new CA begins issuing certs in the transferred CA cert > hierarchy, there should be an audit performed at the new CA's site to > confirm that the transfer was successful and that the root cert is ready > to resume issuance. > > 5) The regular annual audit statements are still expected to happen > within a timely manner, or the root cert may be removed. > > 6) Keep the Mozilla CA Certificate Module Owner appraised of the status > of these steps, and inform immediately if a problem occurs. > > > I will appreciate your thoughtful and constructive input on this topic. > > Kathleen >
If "transfer" involves a change of ownership, whether the new owner is trustworthy must be the first consideration. Thus, I suggest any policy provide: 1. Mozilla must be informed of any change of ownership of a root certificate before any new intermediate or subscriber certificates are signed such they chain to that root. 2. If the new owner is a certification authority whose root certificates already exist in the NSS database, that root will continued to be considered trusted. However, trust bits and EV status of the transferred root cannot exceed the collective trust and EV status of the other roots of the new owner. The audit cycle for the transferred root will be changed to match that of its new owner. 3. If the new owner does not already have root certificates in the NSS database, the transferred root must be immediately marked as untrusted until the new owner undergoes the existing process for adding new roots to the NSS database. Provision should be made for initiating that process for the new owner prior to the transfer in order to avoid any hiatus in the transferred root's trust, including giving priority in consideration ahead of other roots in the pipeline. However, the prospective new owner -- not Mozilla -- is responsible for initiating the process. -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=433238>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy