Confirm, administrator
5,526
edits
Changes
Changed Bugzilla Product from NSS to CA Program per Bugzilla Bug #1799573
#* [https://wiki.mozilla.org/CA/Communications CA Communications]
#* If a CA does not respond to Mozilla's communications within the timeframe specified in the communication or does not provide a copy of its annual audit statement within 15 months of the end of its previous annual audit period, then Mozilla may take action up to and including [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#73-removals removal of the root(s) from the program].
# When a potential certificate mis-issuance is noticed by anyone, they should report it by [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSSCA%20Program&component=CA%20Certificate%20Mis-Issuance 20Compliance creating a bug in the CA Certificate Mis-issuance Compliance component]. More information on filing a security-sensitive bug can be found in [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Security Policy.]
When a security threat or potential certificate mis-issuance arises with a CA in Mozilla's program we consider the impact and risk to the end-users to decide on the action to take. The following considerations are taken into account:
'''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate
* Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSSCA%20Program&component=CA%20Certificate%20Mis-Issuance 20Compliance CA compliance] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report].
* Depending on the situation, also consider adding the certificates to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL].
'''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate
* Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSSCA%20Program&component=CA%20Certificate%20Mis-Issuance 20Compliance CA compliance] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report].
* Depending on the situation, also consider adding the intermediate CA certificate(s) to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA.
'''Problem:''' CA failed to supply proper audit documentation, or audit report contains numerous and/or serious qualifications
* Immediate Minimum Response: File a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSSCA%20Program&component=CA%20Certificate%20Mis-Issuance 20Compliance CA compliance] bug, request that the CA respond with remediation plans, and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report]
* Depending on the situation, also consider requiring the CA to undergo new period-of-time audits as soon as the problems have been resolved. If the same problems are included on the new audit reports, they must state the dates on which the problems were resolved.
