332517 - Officially Publish Certificate Authority Policy on Web Site

Status: VERIFIED FIXED

(www.mozilla.org :: General, defect)

Description

[David E. Ross]

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0 Mnenhy/0.7.3.0
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0 Mnenhy/0.7.3.0

The "Mozilla CA Certificate Policy" at the cited URL needs to be moved to a mozilla.org or mozilla.com Web page.  If this is indeed an official policy of the Mozilla Foundation or Mozilla Corporation, it should no longer be on someone's personal Web site.  And the page should be easily found.  

Reproducible: Always

Steps to Reproduce:




The issue is trust: trusting the CA root certificates installed in the Certificate Manager.  Trust is created by making public how those certificates are approved for installation.  For the same reason, a CA's certificate policy and certification practice statement are supposed to be available to the public if the CA is to be successful in passing a WebTrust audit.

Comment 1

[Nick Bebout]

-> www.m.o & Taking this bug

This affects adding certificates to NSS (which is used by Firefox, Thunderbird, etc.), so this belongs on www.m.o instead of www.m.c

I can commit this if someone can suggest an appropriate place and the powers-that-be do not object.

Hecker? Your opinions?

Comment 2

[Frank Hecker]

I agree that the policy should go on www.mozilla.org, not www.mozilla.com. Perhaps the most logical place would be in the /projects/security/pki/nss/ hierarchy, with a URL of 

http://www.mozilla.org/projects/security/pki/nss/ca-certificate-policy.html

It could then be linked to from an appropriate section of

http://www.mozilla.org/projects/security/pki/nss/index.html

as well as from any page where we list official Mozilla project policies.

I'm on vacation right now and won't have time this week to check this in. I'm happy to have someone else check it in on my behalf. Note that I tried to write the HTML to match the style guidelines for mozilla.org documents, but I may have used outdated information.

Comment 3

[Nick Bebout]

Checking in policy.html;
/cvsroot/mozilla-org/html/projects/security/pki/nss/ca-certificates/policy.html
v  <--  policy.html
initial revision: 1.1
done

I made a ca-certificates directory because I intend to have several files in that directory for bug 333272 (List of CA certificates included in NSS)

Comment 4

[David E. Ross]

I give up!  Where is it?  This bug report is listed as RESOLVED/FIXED, but I can't find the policy on the www.mozilla.org Web site.  I tried a search on the site on the terms "certificate" and "policy", but none of the first 50 results were the policy in question.  

It's not really important where in the Web site the policy resides.  However, it is important that any user who is somewhat experienced in Web security be able to find it even if that person knows nothing about the organization of Mozilla.  Thus, a link to the policy should be visible on the site map at <http://www.mozilla.org/sitemap.html>.  

Comment 5

[Nick Bebout]

I apologize for marking this as resolved so quickly.  I forgot about the part of linking to it and sending out a mailing list email to notify that it is there now.  It is located at http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html

I'll try to add some links to it tonight or tomorrow.

Comment 6

[Frank Hecker]

Nicholas: Thanks much for getting this published! In terms of links, here are some possible places to add links:

1. http://www.mozilla.org/projects/security/pki/nss/

I suggest adding a new bulleted list in the "Documentation" section, right after the last bulleted list ("PKCS #11 information for implementors of cryptographic modules"):

  CA certificates pre-loaded into NSS:

  * Mozilla CA certificate policy [link to the policy]
  * List of pre-loaded CA certificates [link to the list, when available]

2. http://www.mozilla.org/security/ ("Security Center")

It might make sense to add a mention of the policy in the section "For Developers: Contacting Mozilla", as a list item right *before* the last list item ("We encourage you to learn more ..."):

  * Mozilla-based products include a default list of CA certificates
    used when connecting to SSL-enabled servers and in other contexts. If you
    are a CA and would like your CA certificate(s) considered for inclusion
    in Mozilla, please see the Mozilla CA certificate policy.

The phrase "Mozilla CA certificate policy" would link to the policy, and the phrase "default list of CA certificates" would link to the official list (when it's ready).

Note that the Security Center URL is at the bottom of every mozilla.org page, and is also linked to from the site map, so this should be pretty discoverable.

3. http://www.mozilla.org/sitemap.html

I'm not sure if it makes sense to directly link from this page or not. If we do link from this page, we could create a whole new "Policies" section, or just link from either the "Developers" section or the "About Mozilla" section.

Comment 7

[Nick Bebout]

Checking in mozilla-org/html/security/index.html;
/cvsroot/mozilla-org/html/security/index.html,v  <--  index.html
new revision: 1.54; previous revision: 1.53
done

Checking in mozilla-org/html/projects/security/pki/nss/index.html;
/cvsroot/mozilla-org/html/projects/security/pki/nss/index.html,v  <--  index.html
new revision: 1.66; previous revision: 1.65
done

Checking in mozilla-org/html/sitemap.html;
/cvsroot/mozilla-org/html/sitemap.html,v  <--  sitemap.html
new revision: 1.16; previous revision: 1.15
done

These changes should be made within about 15 minutes when the website rebuilds from cvs.