For future reference, this is now posted here: https://wiki.mozilla.org/CA/Prioritization.
On Wed, Mar 24, 2021 at 4:49 PM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > I'd like to have you review the prioritization proposal below, which will > help us as we process CA inclusion requests. ( > https://wiki.mozilla.org/CA/Application_Process) > > Thanks, > > Ben > > ------------------- > > Prioritization of CA Root Inclusion Requests will be based on the factors > described below and use the P1-P5 Priority categories available in the > Bugzilla system with our own priority categorization for the CA root > inclusion program. > > - > > *P1 = High* (Applicant has good compliance history and is replacing an > already-included root) > > > - > > *P2 = Medium High* (Applicant is well-prepared and responsive, with a > good history of policy compliance) > > > - > > *P3 = Medium *(Applicant’s request and responsiveness are “average”, > but demonstrates compliance with policies) > > > - > > *P4 = Medium Low* (Applicant’s responsiveness and compliance history > are “average”) > > > - > > *P5 = Low *(Applicant has much work to do, is slow to respond to > requests, or has not demonstrated full compliance with policies) > > Factors assessed in setting the above-referenced priorities, in order of > importance, are: > > 1 - Alignment with Mozilla Manifesto - > https://www.mozilla.org/en-US/about/manifesto/ > > 2 - Compliance (Based on the compliance history of existing CA operators, > and their responsiveness to issues) > https://wiki.mozilla.org/CA/Incident_Dashboard > > 3 - Replacing Existing (Existing CA operators that are replacing an > already-included root certificate) > https://wiki.mozilla.org/CA/Certificate_Change_Process > > 4 - Responsiveness/Complete and Timely (Applicant provides clear, > complete, concise and timely responses to questions, comments, or concerns > about their root inclusion request) > > 5 - Single-Purpose, Separate Roots (Hierarchies that are separated by > root for a particular purpose) > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy > > > 6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully > controlled by the applicant) > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates > > > 7 - Completeness (Applicant completes all information in CCADB) > https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case > > 8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s > Root Store Policy and the CAB Forum Baseline Requirements) > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS > > > 9 - Updating Trust Bits or EV-Enablement of Already-Included Root > Certificate (Existing CAs that are only requesting EV enablement or > adding a trust bit to an already-included root certificate) > https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV > > 10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for > Discussion”) > https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy