Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
Jump to navigation
Jump to search
m
→ETSI BR Audit Statement/Certificate
| Line 61: | Line 61: | ||
== ETSI BR Audit Statement/Certificate == | == ETSI BR Audit Statement/Certificate == | ||
According to section 11 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy], when the websites trust bit is enabled, the only ETSI criteria that is acceptable to Mozilla is ETSI TS 102 042 V2.3.1 or later (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements, and any of the "NCP", "NCP+", or "LCP" certificate policies). ETSI TS 101 456 audit criteria is '''not''' sufficient for CA whose root certificate has the websites (SSL/TLS) trust bit enabled; ETSI TS 101 456 may only be used for email certificates. | According to section 11 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy], when the websites trust bit is enabled, the only ETSI criteria that is acceptable to Mozilla is ETSI TS 102 042 V2.3.1 or later (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements, and any of the "NCP", "NCP+", or "LCP" certificate policies). ETSI TS 101 456 audit criteria is '''not''' sufficient for CA whose root certificate has the websites (SSL/TLS) trust bit enabled; ETSI TS 101 456 may only be used for email certificates. | ||
* Note: TS 101 456 has not been modified/updated to meet the Baseline requirements, but in ETSI they are developing a new set of standards that will replace the TS 102 042 and 101 456, and for all of these the Baseline requirements will be taken into account in case the scope of the BRs ever go beyond the SSL certs and affect all type of certs used in a web browser. | * Note: ETSI TS 101 456 has not been modified/updated to meet the Baseline requirements, but in ETSI they are developing a new set of standards that will replace the TS 102 042 and 101 456, and for all of these the Baseline requirements will be taken into account in case the scope of the BRs ever go beyond the SSL certs and affect all type of certs used in a web browser. | ||
For an ETSI TS 102 042 certificate to be accepted as a BR audit statement, the certificate must include PTC-BR and must be of version 2.3.1 or later. Note: PTC-BR stands for "Publicly Trusted Certificates - Baseline Requirements" | For an ETSI TS 102 042 certificate to be accepted as a BR audit statement, the certificate must include PTC-BR and must be of version 2.3.1 or later. Note: PTC-BR stands for "Publicly Trusted Certificates - Baseline Requirements" | ||