Bugzilla ID: Bugzilla Summary:



Similar documents
Microsoft Trusted Root Certificate: Program Requirements

SSL BEST PRACTICES OVERVIEW

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

NIST Test Personal Identity Verification (PIV) Cards

TeliaSonera Server Certificate Policy and Certification Practice Statement

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

CERTIFICATION PRACTICE STATEMENT UPDATE

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Certificate Policy for. SSL Client & S/MIME Certificates

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

TR-GRID CERTIFICATION AUTHORITY

Swiss Government Root CA II. Document OID:

Certificates and network security

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Visa Public Key Infrastructure Certificate Policy (CP)

TR-GRID CERTIFICATION AUTHORITY

Independent Accountants Report

StartCom Certification Authority

State of PKI for SSL/TLS

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

NIST ITL July 2012 CA Compromise

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

ETSI TR V1.1.1 ( )

Managing CA-Signed Certificates

SSL CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Djigzo S/MIME setup guide

Certificate Policy and Certification Practice Statement

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Greek Universities Network (GUnet)

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

Independent Accountants Report

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

TELSTRA RSS CA Subscriber Agreement (SA)

Asymmetric cryptosystems fundamental problem: authentication of public keys

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

PEXA Public Key Infrastructure (PKI) Certification Authority Certificate Policy

Configuring Digital Certificates

Comodo Certification Practice Statement

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Trustwave Holdings, Inc

thawte Certification Practice Statement

Websense Content Gateway HTTPS Configuration

Ciphermail S/MIME Setup Guide

Integrated SSL Scanning

Certification Practice Statement

TC TrustCenter GmbH. Certification Practice Statement

Public Key Infrastructure (PKI)

epki Root Certification Authority Certification Practice Statement Version 1.2

The IceWarp SSL Certificate Process

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

IceWarp SSL Certificate Process

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Symantec Trust Network (STN) Certificate Policy

DigiCert Certification Practice Statement

Integrated SSL Scanning

Qatar Ministry of Interior - Public Key Infrastructure Certificate Policy

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Fraunhofer Corporate PKI. Certification Practice Statement

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.03 May 3, 2011

phicert Direct Certificate Policy and Certification Practices Statement

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

WEBTRUST SM/TM FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.1 CA/BROWSER FORUM

Comodo Extended Validation (EV) Certification Practice Statement

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Trust Service Principles and Criteria for Certification Authorities

APPLICATION FOR DIGITAL CERTIFICATE

Overview of Extended Validation (EV) SSL

Danske Bank Group Certificate Policy

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

thawte Certification Practice Statement Version 2.3

Transcription:

Bugzilla ID: Bugzilla Summary: CAs wishing to have their certificates included in Mozilla products must 1) Comply with the requirements of the Mozilla CA certificate policy (http://www.mozilla.org/projects/security/certs/policy/) 2) Supply all of the information listed in http://wiki.mozilla.org/ca:information_checklist. a. Review the Recommended Practices at https://wiki.mozilla.org/ca:recommended_practices b. Review the Potentially Problematic Practices at https://wiki.mozilla.org/ca:problematic_practices General information about the CA s associated organization CA Company Name Website URL Organizational type Primark Market / Customer Base Impact to Mozilla Users Inclusion in other major browsers CA Primary Point of Contact (POC) Indicate whether the CA is operated by a private or public corporation, government agency, international organization, academic institution or consortium, NGO, etc. Note that in some cases the CA may be of a hybrid type, e.g., a corporation established by the government. For government CAs, the type of government should be noted, e.g., national, regional/state/provincial, or municipal. Which types of customers does the CA serve? Are there particular vertical market segments in which it operates? Does the CA focus its activities on a particular country or other geographic region? If your CA will only issue certificates within your organization or for a small number of websites, then rather than including your root certificate in NSS, please consider having your CA hierarchy cross- signed with one of the already- included CA certificates (http://www.mozilla.org/projects/security/certs/included/). If your CA will be issuing certificates to the public or to a large number of websites, then please provide the following explanation. Why does this CA need to have their root certificate directly included in Mozilla s products, rather than being signed by another CA s root certificate that is already included in NSS? Describe the types of Mozilla users who are likely to encounter your root certificate as relying parties while web browsing (HTTPS servers doing SSL), sending/receiving email to their own MTA (SMTPS, IMAPS servers doing SSL), sending/receiving S/MIME email (S/MIME email certs), etc. Does this CA have root certificates included in any other major browsers? If yes, which? If no, why not? https://wiki.mozilla.org/ca:information_checklist#ca_primary_point_of_contact_.28poc.29 POC direct email: Email Alias: CA Phone Number: An official representative of the CA must submit and/or participate in the root inclusion request. According to Mozilla's CA Certificate Inclusion Policy: "To request that its certificate(s) be added to the default set a CA should submit a formal request by submitting a bug report into the mozilla.org Bugzilla system... The request must be made by an authorized representative of the subject CA..." If the CA contracts to another organization to help with the root inclusion request, the official representative of the CA must clarify that relationship in the bug, and must provide clear information about who the ongoing points- of- contact will be for the CA.

Technical information about each root certificate Certificate Name Friendly name to be used when displaying information about the root. Usually the CN. Certificate Issuer Field The Organization Name and CN in the Issuer must have sufficient information about the CA Organization. Certificate Summary A summary about this root certificate, it's purpose, and the types of certificates that are issued under it. Mozilla Applied Constraints Mozilla has the ability to apply Domain Name Constraints at the root level, such that Mozilla products would only recognize SSL certificates in the CA s hierarchy with domains in the listed constraints. Constraints may be at the country level such as *.us; and can include a list such as (*.gov.us, *.gov, *.mil). Please consider the types of SSL certificates that need to be issued within this CA hierarchy, and if applicable provide a list of names to constrain the CA hierarchy to. Root Cert URL SHA1 Fingerprint Valid From YYYY- MM- DD Valid To YYYY- MM- DD Certificate Version Certificate Signature Algorithm Signing key parameters RSA modulus length; e.g. 2048 or 4096 bits. Or ECC named curve, e.g. NIST Curve P- 256, P- 384, or P- 512. Test Website URL (SSL) Example Certificate (non- SSL) CRL URL URL OCSP URL (Required now for end- entity certs) NextUpdate for CRLs of end- entity certs, both actual value and what s documented in CP/CPS. OCSP URI in the AIA of end- entity certs Maximum expiration time of OCSP responses Testing results a) Browsing to test website with OCSP enforced in Firefox browser b) If requesting EV: https://wiki.mozilla.org/psm:ev_testing_easy_version Requested Trust Bits SSL Validation Type EV Policy OID(s) Non- sequential serial numbers and entropy in cert Regarding Mozilla s revocation checking plans: - OCSP is (and will continue to be) required for end- entity certs. OCSP stapling is preferred. - For revocation checking of intermediate certs we will be moving towards a CRL push mechanism, so Mozilla will not be requiring OCSP for intermediate certs. One or more of: Websites (SSL/TLS) Email (S/MIME) Code Signing e.g. DV, OV, and/or EV http://www.mozilla.org/projects/security/certs/policy/maintenancepolicy.html 9. We expect CAs to maintain current best practices to prevent algorithm attacks against certificates. As such, the following steps will be taken:

- all new end- entity certificates must contain at least 20 bits of unpredictable random data (preferably in the serial number). Response to Recent CA Communication(s) The purpose of adding entropy is to help defeat a prefix- chosen collision for non collision resistant hash functions. Using SHA256 without entropy isn't a problem in a near future. However, the Mozilla Policy doesn't say that; the entropy is mandatory for all new certificates, the used hash function isn't taken into consideration. This isn't a blocker for an inclusion request if SHA1 is forbidden in the CA hierarchy. However, the CP/CPS must clearly state that SHA1 isn t an acceptable hash algorithm for certificates in this hierarchy. https://wiki.mozilla.org/ca:communications CA Hierarchy information for each root certificate CA Hierarchy List, description, and/or diagram of all intermediate CAs signed by this root. Identify which subcas are internally- operated and which are externally operated. Externally Operated SubCAs If this root has subcas that are operated by external third parties, then provide the information listed here: https://wiki.mozilla.org/ca:subordinateca_checklist If the CA functions as a super CA such their CA policies and auditing don't apply to the subordinate CAs, then those CAs must apply for inclusion themselves as separate trust anchors. Cross- Signing List all other root certificates for which this root certificate has issued cross- signing certificates. List all other root certificates that have issued cross- signing certificates for this root certificate. If any such cross- signing relationships exist, it is important to note whether the cross- signing CAs' certificates are already included in the Mozilla root store or not. Technical Constraints on Describe the technical constraints that are in place for all third- parties (CAs and RAs) who can directly cause Third- party Issuers the issuance of certificates. See #4 of https://wiki.mozilla.org/ca:information_checklist#ca_hierarchy_information_for_each_root_certificate Verification Policies and Practices Policy Documentation Language(s) that the documents are in: CP: CPS: Relying Party Agreement: Audits Audit Type: Auditor: Auditor Website: URL to Audit Report and Management s Assertions: Baseline Requirements (SSL) URL to BR audit statement: Please carefully review: https://wiki.mozilla.org/ca:baselinerequirements (also have your auditor carefully review this wiki page)

The document(s) and section number(s) where the "Commitment to Comply" with the CA/Browser Forum Baseline Requirements may be found, as per BR #8.3. Audits performed after January 2013 need to include verification of compliance with the CA/Browser Forum Baseline Requirements if SSL certificates may be issued within the CA hierarchy, and the audit statement shall indicate the results. https://wiki.mozilla.org/ca:certificatepolicyv2.1#time_frames_for_included_cas_to_comply_with_the_new_policy Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. SSL Verification Procedures Organization Verification Procedures Email Address Verification Procedures Code Signing Subscriber Verification Procedures Multi- factor Authentication Network Security If you are requesting to enable the Websites Trust Bit, then provide (In English and in publicly available documentation) all the information requested in #3 of If you are requesting to enable the Email Trust Bit, then provide (In English and in publicly available documentation) all the information requested in #4 of If you are requesting to enable the Code Signing Trust Bit, then provide (In English and in publicly available documentation) all the information requested in #5 of Confirm that multi- factor authentication is required for all accounts capable of directly causing certificate issuance. See # 6 of Confirm that you have performed the actions listed in #7 of Response to Mozilla's CA Recommended Practices (https://wiki.mozilla.org/ca:recommended_practices) Publicly Available CP and CPS CA Hierarchy Audit Criteria Document Handling of IDNs in CP/CPS Revocation of Compromised Certificates Verifying Domain Name Ownership Verifying Email Address Control Verifying Identity of Code Signing Certificate Subscriber DNS names go in SAN

Domain owned by a Natural Person OCSP Response to Mozilla's list of Potentially Problematic Practices (https://wiki.mozilla.org/ca:problematic_practices) Long- lived DV certificates Wildcard DV SSL certificates Email Address Prefixes for DV Certs If DV SSL certs, then list the acceptable email addresses that are used for verification. Delegation of Domain / Email validation to third parties Issuing end entity certificates directly from roots Allowing external entities to operate subordinate CAs Distributing generated private keys in PKCS#12 files Certificates referencing hostnames or private IP addresses Issuing SSL Certificates for Internal Domains OCSP Responses signed by a certificate under a different root SHA- 1 Certificates Generic names for CAs Lack of Communication With End Users Backdating the notbefore date

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information