For future reference, this is now posted here:
https://wiki.mozilla.org/CA/Prioritization.
On Wed, Mar 24, 2021 at 4:49 PM Ben Wilson wrote:
> All,
>
> I'd like to have you review the prioritization proposal below, which will
> help us as we process CA inclusion requests. (
> https://wiki.mozilla.org/CA/Application_Process)
>
> Thanks,
>
> Ben
>
> -------
>
> Prioritization of CA Root Inclusion Requests will be based on the factors
> described below and use the P1-P5 Priority categories available in the
> Bugzilla system with our own priority categorization for the CA root
> inclusion program.
>
>-
>
>*P1 = High* (Applicant has good compliance history and is replacing an
>already-included root)
>
>
>-
>
>*P2 = Medium High* (Applicant is well-prepared and responsive, with a
>good history of policy compliance)
>
>
>-
>
>*P3 = Medium *(Applicant’s request and responsiveness are “average”,
>but demonstrates compliance with policies)
>
>
>-
>
>*P4 = Medium Low* (Applicant’s responsiveness and compliance history
>are “average”)
>
>
>-
>
>*P5 = Low *(Applicant has much work to do, is slow to respond to
>requests, or has not demonstrated full compliance with policies)
>
> Factors assessed in setting the above-referenced priorities, in order of
> importance, are:
>
> 1 - Alignment with Mozilla Manifesto -
> https://www.mozilla.org/en-US/about/manifesto/
>
> 2 - Compliance (Based on the compliance history of existing CA operators,
> and their responsiveness to issues)
> https://wiki.mozilla.org/CA/Incident_Dashboard
>
> 3 - Replacing Existing (Existing CA operators that are replacing an
> already-included root certificate)
> https://wiki.mozilla.org/CA/Certificate_Change_Process
>
> 4 - Responsiveness/Complete and Timely (Applicant provides clear,
> complete, concise and timely responses to questions, comments, or concerns
> about their root inclusion request)
>
> 5 - Single-Purpose, Separate Roots (Hierarchies that are separated by
> root for a particular purpose)
> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy
>
>
> 6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully
> controlled by the applicant)
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates
>
>
> 7 - Completeness (Applicant completes all information in CCADB)
> https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
>
> 8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s
> Root Store Policy and the CAB Forum Baseline Requirements)
> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS
>
>
> 9 - Updating Trust Bits or EV-Enablement of Already-Included Root
> Certificate (Existing CAs that are only requesting EV enablement or
> adding a trust bit to an already-included root certificate)
> https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV
>
> 10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for
> Discussion”)
> https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
