зеркало из https://github.com/mozilla/bedrock.git
Merge pull request #1482 from sgarrity/bug-818316-certs
Bug 818316 Migrate /projects/security/certs/ pages to bedrock
This commit is contained in:
Коммит
4128680ab3
|
@ -11,20 +11,20 @@
|
|||
{% block article %}
|
||||
<h1 class="title-shadow-box">{{_('Governance')}} </h1>
|
||||
{% trans
|
||||
open_source_url="http://opensource.org/",
|
||||
meritocracy_url="http://en.wikipedia.org/wiki/Meritocracy" %}
|
||||
open_source_url="http://opensource.org/",
|
||||
meritocracy_url="http://en.wikipedia.org/wiki/Meritocracy" %}
|
||||
<p>Mozilla is an <a href="{{ open_source_url }}">open source</a> project governed as a <a href="{{ meritocracy_url }}">meritocracy</a>. Our community is structured as a virtual organization where authority is distributed to both volunteer and employed community members as they show their abilities through contributions to the project.</p>
|
||||
<p>Learn more about who is involved with governance and how our global community works together on our common mission.</p>
|
||||
{% endtrans %}
|
||||
{% trans roles_url=url('mozorg.about.governance.roles'),
|
||||
policies_url=url('mozorg.about.governance.policies'),
|
||||
organizations_url=url('mozorg.about.governance.organizations'),
|
||||
discussion_url='//groups.google.com/group/mozilla.governance/topics'%}
|
||||
policies_url=url('mozorg.about.governance.policies.policies'),
|
||||
organizations_url=url('mozorg.about.governance.organizations'),
|
||||
discussion_url='//groups.google.com/group/mozilla.governance/topics'%}
|
||||
<ol>
|
||||
<li><a href="{{ roles_url }}">Roles and Responsibilities</a></li>
|
||||
<li><a href="{{ policies_url }}">Policies</a></li>
|
||||
<li><a href="{{ organizations_url }}">Organizations</a></li>
|
||||
<li><a href="{{ discussion_url }}">Discussion forum</a></li>
|
||||
<li><a href="{{ roles_url }}">Roles and Responsibilities</a></li>
|
||||
<li><a href="{{ policies_url }}">Policies</a></li>
|
||||
<li><a href="{{ organizations_url }}">Organizations</a></li>
|
||||
<li><a href="{{ discussion_url }}">Discussion forum</a></li>
|
||||
</ol>
|
||||
{% endtrans %}
|
||||
|
||||
|
|
|
@ -1,77 +0,0 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Official Policies') }}{% endblock %}
|
||||
{% block body_id %}about-governance-policies{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
|
||||
<h1 class="title-shadow-box">{{ _('Official Mozilla Policies') }}</h1>
|
||||
|
||||
<p>{{ _('This page provides links to various policies that are used to run the Mozilla community. This list is not necessarily comprehensive and other policies may be posted on other Mozilla sites.') }}</p>
|
||||
|
||||
<h2>{{ _('Governance') }}</h2>
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/hacking/module-ownership.html">{{ _('Mozilla Modules and Module Ownership') }}</a></li>
|
||||
<li><a href="//wiki.mozilla.org/Modules">{{ _('Module Owners List') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.participation') }}">{{ _('Mozilla Community Participation Guidelines') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<p>{% trans roles_url = url('mozorg.about.governance.roles') %}
|
||||
For additional information on Mozilla’s governance structure, see the <a href="{{ roles_url }}">Roles and Responsibilities</a> page.
|
||||
{% endtrans %}</p>
|
||||
|
||||
<h2>{{_('Hacking')}}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/hacking/committer/">{{ _('Commit Access Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/reviewers.html">{{ _('Super-Review Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/regression-policy.html">{{ _('Performance Regressions Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{ _('Licensing') }}</h2>
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/MPL/">{{ _('Source Code Licensing Terms') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/MPL/license-policy.html">{{ _('Mozilla Foundation License Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/legal/eula/">{{ _('Mozilla Corporation End-User Licensing Agreement') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/legal/eula/">{{ _('Mozilla Foundation End-User Licensing Agreement') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{ _('Privacy') }}</h2>
|
||||
<ul>
|
||||
<li><a href="/privacy-policy.html">{{ _('Mozilla Privacy Policy') }}</a></li>
|
||||
<li><a href="/legal/privacy/firefox.html">{{ _('Mozilla Firefox Privacy Policy') }}</a></li>
|
||||
<li><a href="//mozillalabs.com/weave/weave-privacy-policy/">{{ _('Weave Privacy Policy') }}</a></li>
|
||||
<li><a href="//testpilot.mozillalabs.com/privacy.html">{{ _('Test Pilot Privacy Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{ _('Security') }}</h2>
|
||||
<ul>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.tld-idn') }}">{{ _('IDN-enabled TLDs') }}</a></li>
|
||||
<li><a href="/projects/security/certs/policy/">{{ _('Mozilla CA Certificate Policy') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.group') }}">{{ _('Mozilla Security Group') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.membership') }}">{{ _('Mozilla Security Group Membership Policy') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.bugs') }}">{{ _('Security Bugs Policy') }}</a></li>
|
||||
</ul>
|
||||
<h2>{{ _('Trademarks') }}</h2>
|
||||
<ul>
|
||||
<li><a href="/foundation/trademarks/policy.html">{{ _('Mozilla Trademark Policy') }}</a></li>
|
||||
<li><a href="/foundation/trademarks/l10n-policy.html">{{ _('Mozilla Trademark Policy for Localization Projects') }}</a></li>
|
||||
<li><a href="/foundation/trademarks/l10n-website-policy.html">{{ _('Mozilla Trademark Policy for Web Sites Created by Localization Teams (draft)') }}</a></li>
|
||||
<li><a href="/foundation/trademarks/distribution-policy.html">{{ _('Mozilla Trademark Policy for Distribution Partners (draft)') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<p>{% trans trademarks_url = "//www.mozilla.org/foundation/trademarks/" %}
|
||||
For guidelines, FAQs and other information about trademarks, see the <a href="{{ trademarks_url }}">Trademark Policy</a> page.
|
||||
{% endtrans %}</p>
|
||||
|
||||
<h2>{{ _('Website') }}</h2>
|
||||
<ul>
|
||||
<li><a href="/foundation/licensing/website-markup.html">{{ _('Website Markup Usage Policy') }}</a></li>
|
||||
<li><a href="/foundation/licensing/website-content.html">{{ _('Mozilla.org Site Licensing Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
{% endblock %}
|
|
@ -9,66 +9,68 @@
|
|||
|
||||
|
||||
{% block article %}
|
||||
<h1 class="title-shadow-box">{{_('Official Mozilla Policies')}}</h1>
|
||||
<h1 class="title-shadow-box">{{ _('Official Mozilla Policies') }}</h1>
|
||||
|
||||
<p>{{_('This page provides links to various policies that are used to run the Mozilla community. This list is not necessarily comprehensive and other policies may be posted on other Mozilla sites.')
|
||||
}}</p>
|
||||
<p>{{ _('This page provides links to various policies that are used to run the Mozilla community. This list is not necessarily comprehensive and other policies may be posted on other Mozilla sites.') }}</p>
|
||||
|
||||
<h2>{{_('Governance')}}</h2>
|
||||
<h2>{{ _('Governance') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/hacking/module-ownership.html">{{_('Mozilla Modules and Module Ownership')}}</a></li>
|
||||
<li><a href="//wiki.mozilla.org/Modules">{{_('Module Owners List')}}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.policies.participation') }}">{{_('Mozilla Community Participation Guidelines')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/module-ownership.html">{{ _('Mozilla Modules and Module Ownership') }}</a></li>
|
||||
<li><a href="//wiki.mozilla.org/Modules">{{ _('Module Owners List') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.participation') }}">{{ _('Mozilla Community Participation Guidelines') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<p>{{_('For additional information on Mozilla’s governance structure, see ')}}<a href="{{ url('mozorg.about.governance.roles') }}">{{_('the Roles and Responsibilities')}}</a> page.</p>
|
||||
<p>{{ _('For additional information on Mozilla’s governance structure, see <a href="%s">the Roles and Responsibilities</a> page.')|format(url('mozorg.about.governance.roles')) }}</p>
|
||||
|
||||
<h2>{{_('Hacking')}}</h2>
|
||||
<h2>{{ _('Hacking') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/hacking/committer/">{{_('Commit Access Policy')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/reviewers.html">{{_('Super-Review Policy')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/regression-policy.html">{{_('Performance Regressions Policy')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/committer/">{{ _('Commit Access Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/reviewers.html">{{ _('Super-Review Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/hacking/regression-policy.html">{{ _('Performance Regressions Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{_('Licensing')}}</h2>
|
||||
<h2>{{ _('Licensing') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/MPL/">{{_('Source Code Licensing Terms')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/MPL/license-policy.html">{{_('Mozilla Foundation License Policy')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/en-US/legal/eula/">{{_('Mozilla Corporation End-User Licensing Agreements')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/en-US/legal/eula/">{{_('Mozilla Foundation End-User Licensing Agreements')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/MPL/">{{ _('Source Code Licensing Terms') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/MPL/license-policy.html">{{ _('Mozilla Foundation License Policy') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/legal/eula/">{{ _('Mozilla Corporation End-User Licensing Agreement') }}</a></li>
|
||||
<li><a href="//www.mozilla.org/legal/eula/">{{ _('Mozilla Foundation End-User Licensing Agreement') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{_('Privacy')}}</h2>
|
||||
<h2>{{ _('Privacy') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="{{ url('privacy.index') }}">{{_('Mozilla Privacy Policy')}}</a></li>
|
||||
<li><a href="{{ url('privacy.index') }}">{{_('Mozilla Firefox Privacy Policy')}}</a></li>
|
||||
<li><a href="{{ url('privacy.index') }}">{{ _('Mozilla Privacy Policy') }}</a></li>
|
||||
<li><a href="{{ url('privacy.index') }}">{{ _('Mozilla Firefox Privacy Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{_('Security')}}</h2>
|
||||
<h2>{{ _('Security') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="//www.mozilla.org/projects/security/security-bugs-policy.html">{{_('Security Bugs Policy')}}</a></li>
|
||||
<li><a href="//www.mozilla.org/projects/security/certs/policy/">{{_('Mozilla CA Certificate Policy')}}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.tld-idn') }}">{{ _('IDN-enabled TLDs') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.certs.policy') }}">{{ _('Mozilla CA Certificate Policy') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.group') }}">{{ _('Mozilla Security Group') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.membership') }}">{{ _('Mozilla Security Group Membership Policy') }}</a></li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.bugs') }}">{{ _('Security Bugs Policy') }}</a></li>
|
||||
</ul>
|
||||
|
||||
<h2>{{_('Trademarks')}} </h2>
|
||||
<h2>{{ _('Trademarks') }} </h2>
|
||||
<ul>
|
||||
<li><a href="{{ url('foundation.trademarks.policy') }}">{{_('Mozilla Trademark Policy')}}</a></li>
|
||||
<li><a href="{{ url('foundation.trademarks.l10n-policy') }}">{{_('Mozilla Trademark Policy for Localization Projects')}}</a></li>
|
||||
<li><a href="{{ url('foundation.trademarks.l10n-website-policy') }}">{{_('Mozilla Trademark Policy for Web Sites Created by Localization Teams')}}</a>{{_(' (draft)')}}</li>
|
||||
<li><a href="{{ url('foundation.trademarks.distribution-policy') }}">{{_('Mozilla Trademark Policy for Distribution Partners')}}</a>{{_(' (draft)')}}</li>
|
||||
<li><a href="{{ url('foundation.trademarks.policy') }}">{{ _('Mozilla Trademark Policy') }}</a></li>
|
||||
<li><a href="{{ url('foundation.trademarks.l10n-policy') }}">{{ _('Mozilla Trademark Policy for Localization Projects') }}</a></li>
|
||||
<li><a href="{{ url('foundation.trademarks.l10n-website-policy') }}">{{ _('Mozilla Trademark Policy for Web Sites Created by Localization Teams') }}</a>{{ _(' (draft)') }}</li>
|
||||
<li><a href="{{ url('foundation.trademarks.distribution-policy') }}">{{ _('Mozilla Trademark Policy for Distribution Partners') }}</a>{{ _(' (draft)') }}</li>
|
||||
</ul>
|
||||
|
||||
<p>{{_('For guidelines, FAQs and other information about trademarks, see the ')}}<a href="{{ url('foundation.trademarks.policy') }}">{{_('Trademarks Policy</a> page.')}}</p>
|
||||
<p>{{ _('For guidelines, FAQs and other information about trademarks, see the <a href="%s">Trademarks Policy</a> page.')|format(url('foundation.trademarks.policy'))}}</p>
|
||||
|
||||
<h2>{{_('Website')}}</h2>
|
||||
<h2>{{ _('Website') }}</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="{{ url('foundation.licensing.website-markup') }}">{{_('Website Markup Usage Policy')}}</a></li>
|
||||
<li><a href="{{ url('foundation.licensing.website-content') }}">{{_('Mozilla.org Site Licensing Policies')}}</a></li>
|
||||
<li><a href="{{ url('foundation.licensing.website-markup') }}">{{ _('Website Markup Usage Policy') }}</a></li>
|
||||
<li><a href="{{ url('foundation.licensing.website-content') }}">{{ _('Mozilla.org Site Licensing Policies') }}</a></li>
|
||||
</ul>
|
||||
{%endblock%}
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla CA Certificate Enforcement Policy') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
<h1>{{ _('Mozilla CA Certificate Enforcement Policy') }}</h1>
|
||||
<h3>{{ _('(Version 2.2)') }}</h3>
|
||||
|
||||
<p>{{ _('This section of the <a href="%s">Mozilla CA Certificate Policy</a> describes the steps that Mozilla may take in order to enforce this policy. This includes evaluation of security concerns, and removing or disabling a root certificate.')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
|
||||
<p>{{ _('This is the official Mozilla policy for enforcing the <a href="%s">Mozilla CA Certificate Policy:</a>')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<p>{{ _('When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the <a href="%s">Mozilla Policy for Handling Security Bugs</a> should be followed.')|format(url('mozorg.about.governance.policies.security.bugs')) }}</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>{{ _('Mozilla may, at its sole discretion, disable (partially or fully) or remove a certificate at any time and for any reason. Mozilla will disable or remove a certificate if the CA demonstrates ongoing or egregious practices that do not maintain the level of service that was established in the <a href="%s">Inclusion Section of the Mozilla CA Certificate Policy</a> or that do not comply with the requirements of the <a href="%s">Maintenance Section of the Mozilla CA Certificate Policy.</a>')|format(url('mozorg.about.governance.policies.security.certs.inclusion'),url('mozorg.about.governance.policies.security.certs.maintenance')) }}</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>{{ _('Mozilla will take any steps we deem appropriate to protect our users if we learn that a CA has knowingly or intentionally mis-issued one or more certificates. This may include, but is not limited to disablement (partially or fully) or removal of all of the CA’s certificates from Mozilla’s products. A certificate that includes domain names that have not been verified according to the <a href="%s"> CA/Browser Forum’s Baseline Requirement #11.1.1 </a> is considered to be mis-issued. A certificate that is intended to be used only as an end entity certificate but includes a keyUsage extension with values keyCertSign and/or cRLSign or a basicConstraints extension with the cA field set to true is considered to be mis-issued.')|format('https://www.cabforum.org/documents.html') }}</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>{{ _('A certificate is disabled by turning off one or more of the three trust bits (Websites, Email, Code Signing).
|
||||
Disablement or removal of a certificate may be initiated by submitting a bug report to the mozilla.org Bugzilla system, as described in the <a href="%s">Root Change Process</a> or the <a href="%s">Mozilla Policy for Handling Security Bugs</a>.')|format('https://wiki.mozilla.org/CA:Root_Change_Process', url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>{{ _('If Mozilla disables or removes a CA’s certificate(s) from Mozilla’s products based on a CA’s actions (or failure to act) that are contrary to the <a href="%s">Mozilla CA Certificate Policy,</a> Mozilla shall publicize that fact in newsgroups on the news.mozilla.org server, on Web pages in the www.mozilla.org and www.mozilla.com domains, in news releases sent to organizations specializing in computer and Internet news, or as an alert to the US-CERT organization of the U.S. Department of Homeland Security.')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<p>{{ _('This policy applies only to software products distributed by Mozilla, including the Mozilla Foundation and its subsidiaries. Other entities distributing such software are free to adopt their own policies. In particular, under the terms of the
|
||||
relevant Mozilla license(s) distributors of such software are permitted to add or delete CA certificates in the versions that they
|
||||
distribute, and are also permitted to modify the values of the "trust bits" on CA certificates in the default CA certificate set. As with other software modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the <a href="%s">Mozilla trademark policy</a> for more information.')|format(url('foundation.trademarks.policy')) }}</p>
|
||||
|
||||
<p>{{ _('Please contact Mozilla at <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> for more information about this policy and answers to related questions.') }}</p>
|
||||
|
||||
<p>{{ _('We reserve the right to change this policy in the future. We will do so only after consulting with the public Mozilla community, in order to ensure that all views are taken into account.') }}</p>
|
||||
|
||||
{% endblock %}
|
|
@ -0,0 +1,25 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla Included CA Certificate List') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
<h1 class="title-banner">{{ _('Mozilla Included CA Certificate List') }}</h1>
|
||||
<p>{{ _('This is a list of CA certificates that are distributed with Mozilla software products. You can view the <a href="%s">source file with all of the included root certificates</a>.')|format('http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt') }}</p>
|
||||
|
||||
<p>{{ _('If the spreadsheet does not display in the iframe below, then you may <a href="%s">access the spreadsheet directly</a>.')|format('https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html') }}</p>
|
||||
|
||||
<iframe height="700px" width="100%" src="https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html">
|
||||
<a href="https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html">{{ _('View spreadsheet') }}</a>
|
||||
</iframe>
|
||||
|
||||
|
||||
{% endblock %}
|
|
@ -0,0 +1,146 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla CA Certificate Inclusion Policy') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
|
||||
<h1>{{ _('Mozilla CA Certificate Maintenance Policy') }}</h1>
|
||||
<h3>{{ _('(Version 2.2)') }}</h3>
|
||||
|
||||
<p>{{ _('This section of the <a href="%s">Mozilla CA Certificate Policy</a> describes the obligations of Certification Authorities applying for inclusion of their root certificates in Mozilla Products. This includes considerations that are taken into account such as the CA’s publicly available documentation about their policies, and audits of the CA’s operations in support of the documented policies.')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
<p>{{ _('This is the official Mozilla policy for Certification Authorities applying for inclusion of their CA Certificates to be distributed in Mozilla products:') }}</p>
|
||||
<ol>
|
||||
<li>{{ _('We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products.') }}</li>
|
||||
<li>{{ _('We will make such decisions through a public process, based on objective and verifiable criteria as described below.') }}</li>
|
||||
<li>{{ _('We will not charge any fees to have a CA’s certificate(s) distributed with our software products.') }}</li>
|
||||
<li>{{ _('We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users’ security, for example, with CAs that') }}
|
||||
<ul>
|
||||
<li>{{ _('knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates; <em>or</em>') }}</li>
|
||||
<li>{{ _('knowingly issue certificates that appear to be intended for fraudulent use.') }}</li>
|
||||
</ul>
|
||||
{{ _('This also includes (but again is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) might cause technical problems with the operation of our software, for example, with CAs that issue certificates that have') }}
|
||||
<ul>
|
||||
<li>{{ _('ASN.1 DER encoding errors;') }}</li>
|
||||
<li>{{ _('invalid public keys (e.g., RSA certificates with public exponent equal to 1);') }}</li>
|
||||
<li>{{ _('duplicate issuer names and serial numbers;') }}</li>
|
||||
<li>{{ _('incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer’s issuer name and serial number); <em>or</em>') }}</li>
|
||||
<li>{{ _('cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We will consider adding certificates for additional CAs to the default certificate set upon request only by an authorized representative of the subject CA.') }}</li>
|
||||
<li>{{ _('We require that all CAs whose certificates are distributed with our software products:') }}
|
||||
<ul>
|
||||
<li>{{ _('provide some service relevant to typical users of our software products;') }}</li>
|
||||
<li>{{ _('publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement);') }}</li>
|
||||
<li>{{ _('enforce multi-factor authentication for all accounts capable of directly causing certificate issuance or implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved domains or email addresses;') }}</li>
|
||||
<li>{{ _('maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (e.g., the included certificate signs intermediate issuing certificates), as described in <cite><a href="%s">CA/Browser Forum Baseline Requirement #12;</a></cite>')|format('http://www.cabforum.org/documents.html') }}</li>
|
||||
<li>{{ _('prior to issuing certificates, verify certificate signing requests in a manner that we deem acceptable for the stated purpose(s) of the certificates;') }}</li>
|
||||
<li>{{ _('verify that all of the information that is included in SSL certificates remains current and correct at time intervals of thirty-nine months or less;') }}</li>
|
||||
<li>{{ _('otherwise operate in accordance with published criteria that we deem acceptable; <em>and</em>') }}</li>
|
||||
<li>{{ _('provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We consider verification of certificate signing requests to be acceptable if it meets or exceeds the following requirements:') }}
|
||||
<ul>
|
||||
<li>{{ _('all information that is supplied by the certificate subscriber must be verified by using an independent source of information or an alternative communication channel before it is included in the certificate;') }}</li>
|
||||
<li>{{ _('for a certificate to be used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate <em>or</em> has been authorized by the email account holder to act on the account holder’s behalf;') }}</li>
|
||||
<li>{{ _('for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate <em>or</em> has been authorized by the domain registrant to act on the registrant’s behalf;') }}</li>
|
||||
<li>{{ _('for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate <em>or</em> has been authorized by the entity referenced in the certificate to act on that entity’s behalf;') }}</li>
|
||||
<li>{{ _('for certificates to be used for and marked as Extended Validation, the CA complies with <cite><a href="%s">Guidelines for the Issuance and Management of Extended Validation Certificates</a></cite> version 1.4 or later.')|format('http://www.cabforum.org/documents.html') }}</li>
|
||||
</ul>We reserve the right to use other requirements in the future.') }}
|
||||
</li>
|
||||
<li>{{ _('All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with <a href="%s">Mozilla’s CA Certificate Policy</a> and MUST either be <b>technically constrained</b> or be <b>publicly disclosed and audited.</b>')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}
|
||||
<ul>
|
||||
<li>{{ _('A certificate is deemed as capable of being used to issue new certificates if it contains an <a href="%s">X.509v3 basicConstraints extension,</a> with the cA boolean set to true. The term "subordinate CA" below refers to any organization or legal entity that is in possession or control of a certificate that is capable of being used to issue new certificates.')|format('http://tools.ietf.org/html/rfc5280#section-6.1.4') }}</li>
|
||||
<li>{{ _('These requirements include all cross-certified certificates which chain to a certificate that is included in Mozilla’s CA Certificate Program.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We encourage CAs to technically constrain all subordinate CA certificates. For a certificate to be considered <b>technically constrained,</b> the certificate MUST include an <a href="%s">Extended Key Usage (EKU)</a> extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension.')|format('http://tools.ietf.org/html/rfc5280#section-4.2.1.12') }}'
|
||||
<ul>
|
||||
<li>{{ _('If the certificate includes the id-kp-serverAuth extended key usage, then the certificate MUST include the <a href="%s">Name Constraints X.509v3</a> extension with constraints on both dNSName and iPAddress. For each dNSName in permittedSubtrees, the issuing CA MUST confirm that the subordinate CA has registered the dNSName or has been authorized by the domain registrant to act on the registrant’s behalf. Each dNSName in permittedSubtrees must be a registered domain (with zero or more subdomains) according to the <a href="%s">Public Suffix List algorithm.</a>')|format('http://tools.ietf.org/html/rfc5280#section-4.2.1.10','http://publicsuffix.org/list/') }}
|
||||
<ul>
|
||||
<li>{{ _('For each iPAddress range in permittedSubtrees, the issuing CA MUST confirm that the subordinate CA has been assigned the iPAddress range or has been authorized by the assigner to act on the assignee’s behalf.') }}</li>
|
||||
<li>{{ _('If the subordinate CA is not allowed to issue certificates with an iPAddress, then the subordinate CA certificate MUST specify the entire <a href="%s">IPv4</a> and <a href="%s">IPv6</a> address ranges in excludedSubtrees. The subordinate CA certificate MUST include within excludedSubtrees an iPAddress GeneralName of 8 zero octets (covering the IPv4 address range of 0.0.0.0/0). The subordinate CA certificate MUST also include within excludedSubtrees an iPAddress GeneralName of 32 zero octets (covering the IPv6 address range of ::0/0).')|format('http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml','http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml') }}</li>
|
||||
<li>{{ _('If the subordinate CA is not allowed to issue certificates with dNSNames, then the subordinate CA certificate MUST include a zero-length dNSName in excludedSubtrees.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('If the certificate includes the id-kp-emailProtection extended key usage, then all end-entity certificates MUST only include e-mail addresses or mailboxes that the issuing CA has confirmed (via technical and/or business controls) that the subordinate CA is authorized to use.') }}</li>
|
||||
<li>{{ _('If the certificate includes the id-kp-codeSigning extended key usage, then the certificate MUST contain a directoryName permittedSubtrees constraint where each permittedSubtree contains the organizationName, localityName (where relevant), stateOrProvinceName (where relevant) and countryName fields of an address that the issuing CA has confirmed belongs to the subordinate CA.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We recognize that technically constraining subordinate CA certificates as described above may not be practical in some cases. All certificates that are capable of being used to issue new certificates, that are not technically constrained, and that directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program MUST be audited in accordance with <a href="%s">Mozilla’s CA Certificate Policy</a> and MUST be publicly disclosed by the CA that has their certificate included in Mozilla’s CA Certificate Program. The CA with a certificate included in Mozilla’s CA Certificate Program MUST disclose this information before any such subordinate CA is allowed to issue certificates. All disclosure MUST be made freely available and without additional requirements, including, but not limited to, registration, legal agreements, or restrictions on redistribution of the certificates in whole or in part. The Certificate Policy or Certification Practice Statement of the CA that has their certificate included in Mozilla’s CA Certificate Program must specify where on that CA’s website all such public disclosures are located. For a certificate to be considered <b>publicly disclosed and audited,</b> the following information MUST be provided:')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}
|
||||
<ul>
|
||||
<li>{{ _('The full DER-encoded X.509 certificate (Each issuing CA should provide one .p7c, .zip, or .tgz file containing all of the non-technically-constrained intermediate certificates that it has signed.);') }}</li>
|
||||
<li>{{ _('The corresponding Certificate Policy or Certification Practice Statement used by the subordinate CA; <i>and</i>') }}</li>
|
||||
<li>{{ _('Annual public attestation of conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to the details of the subordinate CA’s internal operations.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We consider the criteria for CA operations published in any of the following documents to be acceptable:') }}
|
||||
<ul>
|
||||
<li>{{ _('Clause 7, "Requirements on CA practice", in ETSI TS 101 456 V1.4.3 or later version, <cite><a href="%s">Policy requirements for certification authorities issuing qualified certificates</a></cite> (only applicable to electronic signature certificate issuance; applicable to either the "QCP public" or "QCP public + SSCD" certificate policies);')|format('http://pda.etsi.org/pda/home.asp?wki_id=vXY0eat9Qxoquqxsw%27A2D') }}</li>
|
||||
<li>{{ _('Clause 7, "Requirements on CA practice", in ETSI TS 102 042 V2.3.1 or later version, <cite><a href="%s">Policy requirements for certification authorities issuing public key certificates</a></cite> (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements, and any of the "NCP", "NCP+", or "LCP" certificate policies);')|format('http://pda.etsi.org/pda/home.asp?wki_id=LJfRMZJQbbbekfdgITkht') }}</li>
|
||||
<li>{{ _('<cite><a href="%s">ISO 21188:2006</a></cite> Public key infrastructure for financial services -- Practices and policy framework;')|format('http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=35707') }}</li>
|
||||
<li>{{ _('WebTrust <cite><a href="%s">"Principles and Criteria for Certification Authorities 2.0" or later</a></cite> and <cite><a href="%s">"SSL Baseline Requirements Audit Criteria V1.1"</a></cite> (as applicable to SSL certificate issuance) in <cite><a href="%s">WebTrust Program for Certification Authorities;</a></cite>')|format('http://www.webtrust.org/homepage-documents/item54279.pdf','http://www.webtrust.org/homepage-documents/item72056.pdf','http://www.webtrust.org/homepage-documents/item27839.aspx') }}</li>
|
||||
<li>{{ _('WebTrust <cite><a href="%s">"Principles and Criteria for Certification Authorities - Extended Validation Audit Criteria 1.4" or later</a></cite> in <cite><a href="%s">WebTrust Program for Certification Authorities</a></cite>.')|format('http://www.webtrust.org/homepage-documents/item72055.pdf','http://www.webtrust.org/homepage-documents/item27839.aspx') }}</li>
|
||||
</ul>We reserve the right to accept other criteria in the future.') }}
|
||||
</li>
|
||||
<li>{{ _('CA operations and issuance of certificates to be used for SSL-enabled servers must also conform to version 1.1.5 of the <cite><a href="%s">CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.</a></cite> In the event of inconsistency between <a href="%s">Mozilla’s CA Certificate Policy</a> requirements and the Baseline Requirements, <a href="%s">Mozilla’s CA Certificate Policy</a> takes precedence. The items listed below will be accepted as reason for not following the Baseline Requirements. If you find an inconsistency that is not listed here, notify Mozilla by sending email to certificates@mozilla.org so the item can be considered.')|format('http://www.cabforum.org/documents.html',url('mozorg.about.governance.policies.security.certs.policy'),url('mozorg.about.governance.policies.security.certs.policy')) }}
|
||||
<ul>
|
||||
<li>{{ _('Mozilla’s CA Certificate Policy defining a competent and independent auditor is a superset of Baseline Requirement #17.6, Auditor Qualifications, and takes precedence over it.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('By "competent party" we mean a person or other entity who is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant government agency) <em>or</em> for whom there is sufficient public information available to determine that the party is competent to judge the CA’s conformance to the stated criteria. In the latter case the "public information" referred to should include information regarding the party’s') }}
|
||||
<ul>
|
||||
<li>{{ _('knowledge of CA-related technical issues such as public key cryptography and related standards;') }}</li>
|
||||
<li>{{ _('experience in performing security-related audits, evaluations, or risk analyses; <em>and</em>') }}</li>
|
||||
<li>{{ _('honesty and objectivity.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('By "independent party" we mean a person or other entity who is not affiliated with the CA as an employee or director <em>and</em> for whom at least one of the following statements is true:') }}
|
||||
<ul>
|
||||
<li>{{ _('the party is not financially compensated by the CA;') }}</li>
|
||||
<li>{{ _('the nature and amount of the party’s financial compensation by the CA is publicly disclosed; <em>or</em>') }}</li>
|
||||
<li>{{ _('the party is bound by law, government regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We reserve the right to designate our own representative(s) to act as the competent independent party or parties described above, should that prove to be necessary and appropriate.') }}</li>
|
||||
<li>{{ _('The burden is on the CA to prove that it has met the above requirements. However the CA may request a preliminary determination from us regarding the acceptability of the criteria and/or the competent independent party or parties by which it proposes to meet the requirements of this policy.') }}</li>
|
||||
<li>{{ _('We rely on publicly disclosed documentation (e.g., in a Certificate Policy and Certification Practice Statement) and publicly disclosed audit statements to ascertain that the above requirements are met. Therefore, inclusion requests will only be considered if the following are true:') }}
|
||||
<ul>
|
||||
<li>{{ _('the publicly disclosed documentation provides sufficient information for Mozilla to determine whether and how the CA complies with this policy, including a description of the steps taken by the CA to verify certificate signing requests;') }}</li>
|
||||
<li>{{ _('the documentation is available from the CA’s official website; and') }}</li>
|
||||
<li>{{ _('the public attestation of the CA’s conformance to the stated verification requirements by a competent independent party indicates which policy documents were included in the review.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('To request that its certificate(s) be added to the default set a CA should submit a formal request by submitting a <a href="%s">bug report</a> into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product. Mozilla’s wiki page, <cite><a href="%s">Applying for root inclusion in Mozilla products,</a></cite> provides further details about how to submit a formal request. The request must be made by an authorized representative of the subject CA, and should include the following:')|format('https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates','https://wiki.mozilla.org/CA:How_to_apply') }}
|
||||
<ul>
|
||||
<li>{{ _('the certificate data (or links to the data) for the CA certificate(s) requested for inclusion;') }}</li>
|
||||
<li>{{ _('for each CA certificate requested for inclusion, whether or not the CA issues certificates for each of the following purposes within the CA hierarchy associated with the CA certificate:') }}
|
||||
<ul>
|
||||
<li>{{ _('SSL-enabled servers,') }}</li>
|
||||
<li>{{ _('digitally-signed and/or encrypted email, <em>or</em>') }}</li>
|
||||
<li>{{ _('digitally-signed executable code objects;') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('for each CA certificate requested for inclusion, whether the CA issues Extended Validation certificates within the CA hierarchy associated with the CA certificate <em>and</em>, if so, the EV policy OID associated with the CA certificate;') }}</li>
|
||||
<li>{{ _('a Certificate Policy and Certification Practice Statement (or links to a CP and CPS) <em>or</em> equivalent disclosure document(s) for the CA or CAs in question; <em>and</em>') }}</li>
|
||||
<li>{{ _('information as to how the CA has fulfilled the requirements stated above regarding its verification of certificate signing requests and its conformance to a set of acceptable operational criteria.') }}</li>
|
||||
</ul>
|
||||
{{ _('We will reject requests where the CA does not provide such information within a reasonable period of time after submitting its request.') }}
|
||||
</li>
|
||||
<li>{{ _('We have appointed a <a href="%s">CA certificate "module owner"</a> and (optionally) one or more "peers" to evaluate CA requests on our behalf and make decisions regarding all matters relating to CA certificates included in our products. CAs or others objecting to a particular decision may appeal to the <a href="%s">Mozilla governance module owner or peer(s)</a>, who will make a final decision.')|format('https://wiki.mozilla.org/Modules/Activities#Mozilla_CA_Certificate_Policy','https://wiki.mozilla.org/Modules/Activities#Governance') }}</li>
|
||||
</ol>
|
||||
<p>{{ _('This policy applies only to software products distributed by Mozilla, including the Mozilla Foundation and its subsidiaries. Other entities distributing such software are free to adopt their own policies. In particular, under the terms of the relevant Mozilla license(s) distributors of such software are permitted to add or delete CA certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on CA certificates in the default CA certificate set. As with other software modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the <a href="%s">Mozilla trademark policy</a> for more information.')|format(url('foundation.trademarks.policy')) }}</p>
|
||||
<p>{{ _('Please contact Mozilla at <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> for more information about this policy and answers to related questions.') }}</p>
|
||||
<p>{{ _('We reserve the right to change this policy in the future. We will do so only after consulting with the public Mozilla community, in order to ensure that all views are taken into account.') }}</p>
|
||||
|
||||
{%endblock%}
|
|
@ -0,0 +1,29 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla CA Certificate Store') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
<h1 class="title-banner">{{ _('Mozilla CA Certificate Store') }}</h1>
|
||||
|
||||
<p>{{ _('Mozillaʼs CA Certificate Program governs inclusion of root certificates in <a href="%s">Network Security Services (NSS)</a>, a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is used in Mozilla products such as the Firefox browser, and is also used by other companies in a variety of products.')|format('https://developer.mozilla.org/en-US/docs/NSS') }}</p>
|
||||
|
||||
<p>{{ _('This page links to information about the X.509 v3 root certificate store which is part of <a href="%s">NSS</a>, and therefore part of Mozilla projects that use X.509 certificates.')|format('https://developer.mozilla.org/en-US/docs/NSS') }}</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.certs.policy') }}">{{ _('Mozilla CA Certificate Policy') }}</a>
|
||||
<li><a href="https://wiki.mozilla.org/CA:Overview">{{ _('Mozilla CA Certificate Program Overview') }}</a>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.certs.pending') }}">{{ _('List of pending inclusion requests') }}</a> {{ _('— Certification Authorities (CAs) who have applied for inclusion of their certificates into Mozillaʼs CA Certificate Program, and whose applications are pending.') }}</li>
|
||||
<li><a href="{{ url('mozorg.about.governance.policies.security.certs.included') }}">{{ _('List of included root certificates') }}</a> {{ _('— CA certificates that are incuded in the NSS root certificate store, and distributed with Mozilla software products.') }} </li>
|
||||
<li><a href="http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt">{{ _('Source file with all of the included root certificates') }}</a>
|
||||
</ul>
|
||||
|
||||
{% endblock %}
|
|
@ -0,0 +1,95 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla CA Certificate Maintenance Policy') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
|
||||
<h1>{{ _('Mozilla CA Certificate Maintenance Policy') }}</h1>
|
||||
<h3>{{ _('(Version 2.2)') }}</h1>
|
||||
|
||||
<p>{{ _('This section of the <a href="%s"> Mozilla CA Certificate Policy</a> describes the obligations of Certification Authorities for maintaining confidence in their root certificates that are included in Mozilla Products. This includes regular auditing of the CA’s policies and practices; conforming to current CA industry standards and recommended best practices; and making changes to included root certificates.')|format(url('mozorg.about.governance.policies.security.certs.policy')) }}</p>
|
||||
|
||||
<p>{{ _('This is the official Mozilla policy for Certification Authorities to maintain their CA Certificates that are distributed in Mozilla products:') }}</p>
|
||||
|
||||
<ol>
|
||||
<li>{{ _('CAs are expected to maintain the level of service that was established in the <a href="%s"> Inclusion Section of the Mozilla CA Certificate Policy</a>')|format(url('mozorg.about.governance.policies.security.certs.inclusion')) }}</li>
|
||||
<li>{{ _('CAs must revoke Certificates that they have issued upon the occurrence of any of the following events:') }}
|
||||
<ul>
|
||||
<li>{{ _('the subscriber indicates that the original certificate request was not authorized and does not retroactively grant authorization;') }}</li>
|
||||
<li>{{ _('the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused;') }}</li>
|
||||
<li>{{ _('the CA receives notice or otherwise becomes aware that a subscriber has violated one or more of its material obligations under the subscriber agreement;') }}</li>
|
||||
<li>{{ _('the CA receives notice or otherwise becomes aware of any circumstance indicating that use of the domain name in the certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a subscriber’s right to use the domain name listed in the certificate, a relevant licensing or services agreement with the registrant has terminated, or the registrant of the domain name has failed to renew it);') }}</li>
|
||||
<li>{{ _('the CA receives notice or otherwise becomes aware of a material change in the information contained in the certificate;') }}</li>
|
||||
<li>{{ _('a determination, in the CA’s sole discretion, that the certificate was not issued in accordance with the CA’s Certificate Policy or Certification Practice Statement;') }}</li>
|
||||
<li>{{ _('the CA determines that any of the information appearing in the certificate is not accurate, with the exception of the organizationalUnitName field, if present.') }}</li>
|
||||
<li>{{ _('the CA ceases operations for any reason and has not arranged for another CA to provide revocation support for the certificate;') }}</li>
|
||||
<li>{{ _('the CA private key used in issuing the certificate is suspected to have been compromised; or') }}</li>
|
||||
<li>{{ _('such additional revocation events as the CA publishes in its policy documentation.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('CAs must maintain an online 24x7 repository mechanism whereby application software can automatically check online the current status of all unexpired certificates issued by the CA. For end-entity certificates:') }}
|
||||
<ul>
|
||||
<li>{{ _('CRLs must be updated and reissued at least every seven days, and the value of the nextUpdate field shall not be more than ten days beyond the value of the thisUpdate field; or') }}</li>
|
||||
<li>{{ _('if the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service, it must update that service at least every four days. OCSP responses from this service must have a maximum expiration time of ten days.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We require that all CAs whose certificates are distributed with our software products provide us an updated statement annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in this policy. To notify us of an updated statement of attestation, send email to <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> or submit a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product. The request should include the following:') }}
|
||||
<ul>
|
||||
<li>{{ _('the certificate data identifying the CA certificate(s) to which the updated statement of attestation applies;') }}</li>
|
||||
<li>{{ _('a copy of (or link to) the updated statement of attestation (e.g., "Auditor’s Report and Management Assertions" or equivalent document); and') }}</li>
|
||||
<li>{{ _('contact information for the party making the attestation, if the statement is not posted on an independent website (e.g. cert.webtrust.org).') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We require that all CAs whose certificates are distributed with our software products notify us when its policies and business practices change in regards to verification procedures for issuing certificates, when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes. To notify us of updated policies and business practices, send email to <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> or submit a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product. The request should include the following:') }}
|
||||
<ul>
|
||||
<li>{{ _('the certificate data identifying the CA certificate(s) that are affected by the change;') }}</li>
|
||||
<li>{{ _('copies of (or links to) the updated Certificate Policy or Certification Practice Statement document(s) or equivalent disclosure document(s); and') }}</li>
|
||||
<li>{{ _('a summary of the changes that impact the verification procedures for issuing certificates.') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We require that all CAs whose certificates are distributed with our software products ensure that we have their current contact information. If the CA’s primary representative for their included root certificates leaves the organization, then the burden is on the CA to inform Mozilla of the contact information for the new primary representative, by sending email to <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a>. If we are not able to contact a CA, or do not have current audit and policy documentation, then the CA’s root certificates may be disabled or removed as described in the <a href="%s"> Enforcement Section of the Mozilla CA Certificate Policy</a>')|format(url('mozorg.about.governance.policies.security.certs.enforcement')) }}</li>
|
||||
<li>{{ _('A failure to provide required notifications or updates as specified in items #4, #5, and #6 in a timely manner shall be grounds for disabling a CA’s root certificates or removing them from Mozilla products. For this policy "a timely manner" means within 30 days of when the appropriate data or documentation becomes available to the CA.') }}</li>
|
||||
<li>{{ _('We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products:') }}
|
||||
<ul>
|
||||
<li>{{ _('SHA-1 (until a practical collision attack against SHA-1 certificates is imminent);') }}</li>
|
||||
<li>{{ _('SHA-256, SHA-384, SHA-512;') }}</li>
|
||||
<li>{{ _('Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over SECG and NIST named curves P-256, P-384, and P-512;') }}</li>
|
||||
<li>{{ _('RSA 2048 bits or higher; and') }}</li>
|
||||
<li>{{ _('RSA 1024 bits (only until December 31, 2013).') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('We expect CAs to maintain current best practices to prevent algorithm attacks against certificates. As such, the following steps will be taken:') }}
|
||||
<ul>
|
||||
<li>{{ _('after June 30, 2011, software published by Mozilla will return an error when a certificate with an MD5-based signature is used;') }}</li>
|
||||
<li>{{ _('all end-entity certificates with RSA key sizes smaller than 2048 bits must expire by December 31, 2013;') }}</li>
|
||||
<li>{{ _('after December 31, 2013, Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits; and') }}</li>
|
||||
<li>{{ _('all new end-entity certificates must contain at least 20 bits of unpredictable random data (preferably in the serial number).') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>{{ _('Changes may be made to root certificates that are included in Mozilla products as follows:') }}
|
||||
<ul>
|
||||
<li>{{ _('root changes that are motivated by a serious security concern such as a major root compromise should be treated as a security-sensitive bug, and the <a href="%s"> Mozilla Policy for Handling Security Bugs</a> should be followed;')|format(url('mozorg.about.governance.policies.security.bugs')) }}</li>
|
||||
<li>{{ _('enabling a trust bit in a root certificate that is currently included, may only be done after careful consideration of the CA’s current policies, practices, and audits, according to the <a href="%s"> Inclusion Section of the Mozilla CA Certificate Policy,</a> and may be requested by a representative of the CA or a representative of Mozilla by submitting a bug report into the mozilla.org Bugzilla system, as described in Mozilla’s wiki page, <cite><a href="%s"> Applying for root inclusion in Mozilla products;</a></cite>')|format(url('mozorg.about.governance.policies.security.certs.inclusion'), 'https://wiki.mozilla.org/CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root') }}</li>
|
||||
<li>{{ _('enabling EV in a root certificate that is currently included, may only be done after careful consideration of the CA’s current policies, practices, and audits, according to the <a href="%s">Inclusion Section of the Mozilla CA Certificate Policy,</a> and may be requested by a representative of the CA or a representative of Mozilla by submitting a bug report into the mozilla.org Bugzilla system, as described in Mozilla’s wiki page, <cite><a href="%s"> Applying for root inclusion in Mozilla products;</a></cite>')|format(url('mozorg.about.governance.policies.security.certs.inclusion'), 'https://wiki.mozilla.org/CA:How_to_apply#Enable_Additional_Trust_Bits_for_an_included_root') }}</li>
|
||||
<li>{{ _('disabling a root is the act of turning off one or more of the three trust bits (Websites, Email, Code Signing), and may be requested by a representative of the CA or a representative of Mozilla by submitting a bug report into the mozilla.org Bugzilla system, as described in the <a href="%s"> Root Change Process;</a>')|format('https://wiki.mozilla.org/CA:Root_Change_Process') }}</li>
|
||||
<li>{{ _('a representative of the CA or a representative of Mozilla may request that a root certificate be removed by submitting a bug report into the mozilla.org Bugzilla system, as described in the <a href="%s"> Root Change Process.</a>')|format('https://wiki.mozilla.org/CA:Root_Change_Process') }}</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<p>{{ _('This policy applies only to software products distributed by Mozilla, including the Mozilla Foundation and its subsidiaries. Other entities distributing such software are free to adopt their own policies. In particular, under the terms of the relevant Mozilla license(s) distributors of such software are permitted to add or delete CA certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on CA certificates in the default CA certificate set. As with other software modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the <a href="%s">Mozilla trademark policy</a> for more information.')|format(url('foundation.trademarks.policy')) }}</p>
|
||||
|
||||
<p>{{ _('Please contact Mozilla at <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> for more information about this policy and answers to related questions.') }}</p>
|
||||
|
||||
<p>{{ _('We reserve the right to change this policy in the future. We will do so only after consulting with the public Mozilla community, in order to ensure that all views are taken into account.') }}</p>
|
||||
|
||||
{%endblock%}
|
|
@ -0,0 +1,46 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla Pending CA Certificate List') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
<h1 class="title-banner">{{ _('Mozilla Pending CA Certificate List') }}</h1>
|
||||
|
||||
<p>{{ _('This is a list of Certification Authorities (CAs) who have applied for inclusion of their certificates into the Mozilla project Root CA store, and whose applications are <a href="%s">pending</a>.')|format('https://wiki.mozilla.org/CA:Schedule') }}</p>
|
||||
|
||||
<table class="table">
|
||||
<tr>
|
||||
<th>{{ _('Approved, pending inclusion') }}</th>
|
||||
<td>{{ _('Approved requests that are in the <a href="%s">inclusion phase</a> are highlighted in blue.')|format('https://wiki.mozilla.org/CA:How_to_apply#Inclusion') }}</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>{{ _('Ready for Public Discussion') }}</th>
|
||||
<td>{{ _('Requests that are ready for <a href="%s">public discussion</a> are highlighted in green.')|format('https://wiki.mozilla.org/CA:How_to_apply#Public_discussion') }}</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>{{ _('In Public Discussion') }}</th>
|
||||
<td>{{ _('Requests in <a href="%s">public discussion</a> are highlighted in yellow.')|format('https://wiki.mozilla.org/CA:How_to_apply#Public_discussion') }}</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>{{ _('CA Actions Items from Discussion') }}</th>
|
||||
<td>{{ _('Requests pending completion of action items resulting from <a href="%s">public discussion</a> are highlighted in yellow.')|format('https://wiki.mozilla.org/CA:How_to_apply#Public_discussion') }}</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p>{{ _('View the <a href="%s">list of CA certificates that are currently distributed with Mozilla software products</a>.')|format(url('mozorg.about.governance.policies.security.certs.included')) }}</p>
|
||||
|
||||
<p>{{ _('If the spreadsheet does not display in the iframe below, then you may <a href="%s">access the spreadsheet directly</a>.')|format('https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHEtbFRSUGVtN0hoUVZnajFNRlJWenc&output=html') }}</p>
|
||||
|
||||
<iframe width="100%" height="700px" src="https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHEtbFRSUGVtN0hoUVZnajFNRlJWenc&output=html">
|
||||
<a href="https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHEtbFRSUGVtN0hoUVZnajFNRlJWenc&output=html">{{ _('View spreadsheet') }}</a>
|
||||
</iframe>
|
||||
|
||||
{% endblock %}
|
|
@ -0,0 +1,42 @@
|
|||
{# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. -#}
|
||||
|
||||
{% extends "mozorg/about-base.html" %}
|
||||
|
||||
{% block page_title %}{{ _('Mozilla CA Certificate Policy') }}{% endblock %}
|
||||
{% block body_class %}sand{% endblock %}
|
||||
|
||||
{% block extrahead %}
|
||||
{{ css('security-group') }}
|
||||
{% endblock %}
|
||||
|
||||
{% block article %}
|
||||
<h1 class="title-banner">{{ _('Mozilla CA Certificate Policy') }}</h1>
|
||||
<h3>{{ _('Version 2.2') }}</h3>
|
||||
<p>{{ _('When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla may include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.') }}</p>
|
||||
|
||||
<p>{{ _('This is the official Mozilla policy for CA certificates that are distributed with Mozilla software products. This policy consists of the following three sections:') }}</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<a href="{{ url('mozorg.about.governance.policies.security.certs.inclusion') }}">{{ _('Applying for Inclusion of Root Certificates in Mozilla Products') }}</a>
|
||||
<p>{{ _('This section describes the obligations of Certification Authorities applying for inclusion of their root certificates in Mozilla Products. This includes considerations that are taken into account such as the CA’s publicly available documentation about their policies, and audits of the CA’s operations in support of the documented policies.') }}</p>
|
||||
</li>
|
||||
<li>
|
||||
<a href="{{ url('mozorg.about.governance.policies.security.certs.maintenance') }}">{{ _('Maintaining Confidence in Included Root Certificates') }}</a>
|
||||
<p>{{ _('This section describes the obligations of Certification Authorities for maintaining confidence in their root certificates that are included in Mozilla Products. This includes regular auditing of the CA’s policies and practices; conforming to current CA industry standards and recommended best practices; and making changes to included root certificates.') }}</p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="{{ url('mozorg.about.governance.policies.security.certs.enforcement') }}">{{ _('Enforcing the Mozilla CA Certificate Policy') }}</a>
|
||||
<p>{{ _('This section describes the steps that Mozilla may take in order to enforce this policy. This includes evaluation of security concerns, and removing or disabling a root certificate.') }}</p>
|
||||
</li>
|
||||
</ol>
|
||||
<p>{{ _('This policy applies only to software products distributed by Mozilla, including the Mozilla Foundation and its subsidiaries. Other entities distributing such software are free to adopt their own policies. In particular, under the terms of the relevant Mozilla license(s) distributors of such software are permitted to add or delete CA certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on CA certificates in the default CA certificate set. As with other software modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the <a href="%s">Mozilla trademark policy</a> for more information.')|format(url('foundation.trademarks.index')) }}</p>
|
||||
|
||||
<p>{{ _('Please contact Mozilla at <a href="mailto:certificates@mozilla.org">certificates@mozilla.org</a> for more information about this policy and answers to related questions.') }}</p>
|
||||
|
||||
<p>{{ _('We reserve the right to change this policy in the future. We will do so only after consulting with the public Mozilla community, in order to ensure that all views are taken into account.') }}</p>
|
||||
|
||||
{% endblock %}
|
|
@ -23,14 +23,20 @@ urlpatterns = patterns('',
|
|||
page('about/powered-by', 'mozorg/powered-by.html'),
|
||||
page('about/governance', 'mozorg/about/governance/governance.html'),
|
||||
page('about/governance/roles', 'mozorg/about/governance/roles.html'),
|
||||
page('about/governance/policies', 'mozorg/about/governance/policies.html'),
|
||||
page('about/governance/policies', 'mozorg/about/governance/policies/policies.html'),
|
||||
page('about/governance/policies/security-group', 'mozorg/about/governance/policies/security/group.html'),
|
||||
page('about/governance/policies/security-group/bugs', 'mozorg/about/governance/policies/security/bugs.html'),
|
||||
page('about/governance/policies/security-group/tld-idn', 'mozorg/about/governance/policies/security/tld-idn.html'),
|
||||
page('about/governance/policies/security-group/membership', 'mozorg/about/governance/policies/security/membership.html'),
|
||||
page('about/governance/policies/security-group/certs', 'mozorg/about/governance/policies/security/certs/index.html'),
|
||||
page('about/governance/policies/security-group/certs/included', 'mozorg/about/governance/policies/security/certs/included.html'),
|
||||
page('about/governance/policies/security-group/certs/pending', 'mozorg/about/governance/policies/security/certs/pending.html'),
|
||||
page('about/governance/policies/security-group/certs/policy', 'mozorg/about/governance/policies/security/certs/policy.html'),
|
||||
page('about/governance/policies/security-group/certs/policy/enforcement', 'mozorg/about/governance/policies/security/certs/enforcement.html'),
|
||||
page('about/governance/policies/security-group/certs/policy/maintenance', 'mozorg/about/governance/policies/security/certs/maintenance.html'),
|
||||
page('about/governance/policies/security-group/certs/policy/inclusion', 'mozorg/about/governance/policies/security/certs/inclusion.html'),
|
||||
page('about/governance/organizations', 'mozorg/about/governance/organizations.html'),
|
||||
page('about/governance/policies/participation', 'mozorg/about/governance/policies/participation.html'),
|
||||
page('about/governance/policies', 'mozorg/about/governance/policies/policies.html'),
|
||||
|
||||
page('contact/spaces', 'mozorg/contact/spaces/spaces-landing.html'),
|
||||
page('contact/spaces/mountain-view', 'mozorg/contact/spaces/mountain-view.html'),
|
||||
|
|
|
@ -459,6 +459,14 @@ RewriteRule ^/projects/security/membership-policy.html$ /about/governance/polici
|
|||
RewriteRule ^/projects/security/secgrouplist.html$ /about/governance/policies/security-group/ [L,R=301]
|
||||
RewriteRule ^/projects/security/security-bugs-policy.html$ /about/governance/policies/security-group/bugs/ [L,R=301]
|
||||
|
||||
# bug 818316
|
||||
RewriteRule ^/projects/security/certs(?:/(?:index.html)?)?$ /about/governance/policies/security-group/certs/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/included(?:/(?:index.html)?)?$ /about/governance/policies/security-group/certs/included/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/pending(?:/(?:index.html)?)?$ /about/governance/policies/security-group/certs/pending/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/policy(?:/(?:index.html)?)?$ /about/governance/policies/security-group/certs/policy/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/policy/EnforcementPolicy.html /about/governance/policies/security-group/certs/policy/enforcement/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/policy/MaintenancePolicy.html /about/governance/policies/security-group/certs/policy/maintenance/ [L,R=301]
|
||||
RewriteRule ^/projects/security/certs/policy/InclusionPolicy.html /about/governance/policies/security-group/certs/policy/inclusion/ [L,R=301]
|
||||
|
||||
# bug 903089
|
||||
RewriteRule ^/robots.txt$ /b/robots.txt [PT]
|
||||
|
|
Загрузка…
Ссылка в новой задаче