Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
Jump to navigation
Jump to search
→BR Audits
| Line 15: | Line 15: | ||
Here are some examples of the level of information that should be included in the BR audit statement in regards to BRs that the CA is not yet fully conforming to. | Here are some examples of the level of information that should be included in the BR audit statement in regards to BRs that the CA is not yet fully conforming to. | ||
* BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to support legacy customer apps) | * BR 9.5 (section 6.1.3, 6.1.1.3 in BR version 1.3) – 1024-bit certs with validity beyond 2013 (in order to support legacy customer apps) | ||
* BR 13.2.6 - OCSP giving status “good” for unknown serial numbers. | * BR 13.2.6 (section 4.9.10 in BR version 1.3) - OCSP giving status “good” for unknown serial numbers. | ||
* BR 16.5 - multi-factor authentication for '''all''' accounts capable of directly causing certificate issuance | * BR 16.5 (section 5 in BR version 1.3) - multi-factor authentication for '''all''' accounts capable of directly causing certificate issuance | ||
* BR 17.5 - The audit period for the Delegated Third Party SHALL NOT exceed one year | * BR 17.5 (section 8.4 in BR version 1.3) - The audit period for the Delegated Third Party SHALL NOT exceed one year | ||
* BR 17.8 – audits on at least a quarterly basis against a randomly selected sample of the greater of one certificate or '''at least three percent''' of the Certificates issued by it during the period commencing immediately after the previous self-audit sample was taken | * BR 17.8 (section 8.7 in BR version 1.3) – audits on at least a quarterly basis against a randomly selected sample of the greater of one certificate or '''at least three percent''' of the Certificates issued by it during the period commencing immediately after the previous self-audit sample was taken | ||
* BR 11.2 – re-verifying identity for cert renewal requests | * BR 11.2 (section 3.2 in BR version 1.3) – re-verifying identity for cert renewal requests | ||
| Line 26: | Line 26: | ||
A BR audit must include checks to verify that the root, intermediate, and SSL certificates conform to [http://tools.ietf.org/html/rfc5280 RFC 5280]. Given that the BRs normatively incorporate RFC 5280, auditors MUST be checking compliance in order to evaluate whether or not a given certificate conforms to the BRs. | A BR audit must include checks to verify that the root, intermediate, and SSL certificates conform to [http://tools.ietf.org/html/rfc5280 RFC 5280]. Given that the BRs normatively incorporate RFC 5280, auditors MUST be checking compliance in order to evaluate whether or not a given certificate conforms to the BRs. | ||
BR section 4: "Valid Certificate: A Certificate that passes the validation procedure specified in RFC 5280." | BR section 4 (section 1.6.1 in BR version 1.3): "Valid Certificate: A Certificate that passes the validation procedure specified in RFC 5280." | ||
BR Appendix B: | BR Appendix B (section 7.1.2 in BR version 1.3): | ||
* "All other fields and extensions MUST be set in accordance with RFC 5280." | * "All other fields and extensions MUST be set in accordance with RFC 5280." | ||
** Note: "fields" includes non-extension fields. | ** Note: "fields" includes non-extension fields. | ||
| Line 44: | Line 44: | ||
* Cryptographic algorithm and key sizes must meet BR Appendix A. | * Cryptographic algorithm and key sizes must meet BR Appendix A. | ||
* Certificate Extension must comply with BR Appendix B. | * Certificate Extension must comply with BR Appendix B. | ||
* Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. | * Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. (sections 7.1.5 and 8 in BR version 1.3) | ||
Definition: An intermediate certificate that does not have an Extended Key Usage (EKU) extension, has id-kp-serverAuth extended key usage, or has the anyExtendedKeyUsage KeyPurposeId is considered '''''capable''''' of issuing SSL certificates. | Definition: An intermediate certificate that does not have an Extended Key Usage (EKU) extension, has id-kp-serverAuth extended key usage, or has the anyExtendedKeyUsage KeyPurposeId is considered '''''capable''''' of issuing SSL certificates. | ||