Here's a draft of the Bugzilla Bug that I plan to file to list the action items for PROCERT to complete before they may re-apply for inclusion in Mozilla's Root Store. I will appreciate feedback on this.
== DRAFT == Subject: PROCERT: Action Items As per Bug #1403549 the PSCProcert certificate will be removed from Mozilla’s Root Store due to a long list of problems and they way that PROCERT responded to those problems (and to previous CA Communications). For details about the problems, see Bug #1391058 and https://wiki.mozilla.org/CA:PROCERT_Issues The purpose of this bug is to record the action items that PROCERT must complete before their certificate may be included as a trust anchor in Mozilla’s Root Store again. PROCERT may apply for inclusion of a new certificate[1] following Mozilla's normal root inclusion/change process[2], after they have completed all of the following action items. 1. Provide a list of changes that the CA plans to implement to ensure that there are no future violations of Mozilla's CA Certificate Policy and the CA/Browser Forum's Baseline Requirements. 2. Implement the changes, and update their CP/CPS to fully document their improved processes. 3. Provide a reasonably detailed[4] public-facing attestation from a licensed auditor[3] acceptable to Mozilla that the changes have been made. This audit may be part of an annual audit. 4. Provide auditor[3] attestation that a full performance audit has been performed confirming compliance with the CA/Browser Forum's Baseline Requirements. This audit may be part of an annual audit. Notes: [1] The new certificate (trust anchor) may be cross-signed by the removed certificate. However, the removed certificate may *not* be cross-signed by the new certificate, because that would bring the concerns about the removed certificate into the scope of the new trust anchor. [2] Mozilla's root inclusion/change process includes checking that certificates in the CA hierarchy comply with the CA/Browser Forum's Baseline Requirements. [3] The auditor must be an external company, and approved by Mozilla. [4] “detailed” audit report means that management attests to their system design and the controls they have in place to ensure compliance, and the auditor evaluates and attests to those controls. This assertion by management - and the auditor's independent assessment of the factual veracity of that assertion - will help provide a greater level of assurance that PROCERT has successfully understood and integrated the BRs. == Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
