By the time version 2.3 of Mozilla’s CA Cert Policy is published, I hope
to have issued a CA Community License to every included CA. Taking that
into consideration; I propose changing the policy as follows.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
“10. … The CA with a certificate included in Mozilla’s CA Certificate
Program MUST disclose this information *in the CA Community in
Salesforce* <link to https://wiki.mozilla.org/CA:SalesforceCommunity>
before any such subordinate CA is allowed to issue certificates
*chaining up to the CA’s included root certificate*. …”
Additionally, I also propose that we change the first bullet point in
this section, because in the CA Community in Salesforce the CA is
expected to copy-paste in the contents of the .pem file for the
intermediate cert.
“10. … For a certificate to be considered publicly disclosed and
audited, the following information MUST be provided: ..."
CURRENT text:
"- The full DER-encoded X.509 certificate (Each issuing CA should
provide one .p7c, .zip, or .tgz file containing all of the
non-technically-constrained intermediate certificates that it has
signed.); …”
CHANGE to:
“- The PEM (Privacy-enhanced Electronic Mail) Base64 encoded DER X.509
certificate, enclosed between "-----BEGIN CERTIFICATE-----" and
"-----END CERTIFICATE-----";”
Also, in the https://wiki.mozilla.org/CA:SalesforceCommunity wiki page I
propose adding the following section:
== When to Add Intermediate Certificate Data ==
As per Mozilla’s CA Certificate Inclusion policy, all certificates that
are capable of being used to issue new certificates, that are not
technically constrained (via Extended Key Usage and Name Constraint
settings), and that directly or transitively chain to a certificate
included in Mozilla’s CA Certificate Program MUST be audited in
accordance with Mozilla’s CA Certificate Policy and MUST be publicly
disclosed by the CA that has their certificate included in Mozilla’s CA
Certificate Program.
The CA with a certificate included in Mozilla’s CA Certificate Program
MUST add the PEM-encoded X.509 intermediate certificate and the
corresponding CP/CPS and Audit documentation to the CA Community in
Salesforce before the subordinate CA begins issuing Publicly-Trusted
Certificates that chain up to the CA’s included root certificate.
~~
As always, I will appreciate your thoughtful and constructive input
about this proposal.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
