Closed Bug 528303 Opened 13 years ago Closed 11 years ago

Update Mozilla CA certificate policy to require annual audit

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hecker, Assigned: hecker)

Details

Attachments

(1 file)

We propose to update the Mozilla CA certificate policy to require that CAs provide annual audit statements. This would make our policy consistent with that of other browser vendors.

We also propose to require that CAs notify us when they make changes in their verification procedures. This would alert us to cases where CAs get added under the assumption that they'll be issuing one class of certificate and then later the CA decides to offer a different class.

For the exact proposed changes see the attached patch. The current policy (version 1.2) is at

  http://www.mozilla.org/projects/security/certs/policy/

The proposed revised policy (which would be version 1.3) is at

  http://hecker.org/mozilla/ca-certificate-policy-1-3-draft

I'm now opening a public discussion period for this policy change. Please post your comments in the mozilla.dev.security.policy forum or the associated mailing list.

Also note that I'm willing to consider other suggested policy changes, however those will be considered in separate bugs. Please confine your comments in the relevant forum thread and in this bug to this particular change.
Status: NEW → ASSIGNED
Add to the Mozilla CA Cert Policy. See sections 4, 5, and 6 of the Maintenance section.
http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html

Also see the Enforcement section.
http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.