Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
→Audit Mistakes
| Line 125: | Line 125: | ||
Non-compliance to the following policies are examples of mistakes that auditors must '''not''' overlook. | Non-compliance to the following policies are examples of mistakes that auditors must '''not''' overlook. | ||
* BR Appendix A for root and intermediate certs - Cryptographic Algorithm and Key Requirements (Normative) - Certificates MUST meet the following requirements for algorithm type and key size. | * BR Appendix A (section 6.1.5 in BR version 1.3) for root and intermediate certs - Cryptographic Algorithm and Key Requirements (Normative) - Certificates MUST meet the following requirements for algorithm type and key size. | ||
* BR Appendix B for root and intermediate certs – Certificate Extensions (Normative) - | * BR Appendix B (section 7.1.2 in BR version 1.3) for root and intermediate certs – Certificate Extensions (Normative) - specifies the requirements for Certificate extensions for Certificates generated after the Effective Date. | ||
* With regards to root and intermediate certificates, the items listed in section 4 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla CA Certificate Inclusion Policy]: | * With regards to root and intermediate certificates, the items listed in section 4 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla CA Certificate Inclusion Policy]: | ||
** ASN.1 DER encoding errors; | ** ASN.1 DER encoding errors; | ||
| Line 137: | Line 137: | ||
Non-compliance to the following policies are examples of mistakes that auditors might overlook due to sampling of end-entity certificates: | Non-compliance to the following policies are examples of mistakes that auditors might overlook due to sampling of end-entity certificates: | ||
* BR 9.2.1 - Subject Alternative Name Extension - SSL certs must contain at least one entry | * BR 9.2.1 (section 7.1.4.2.1 in BR version 1.3) - Subject Alternative Name Extension - SSL certs must contain at least one entry | ||
* BR 9.2.2 - Subject Common Name Field - If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension | * BR 9.2.2 (section 7.1.4.2.2 in BR version 1.3) - Subject Common Name Field - If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension | ||
* BR 9.4.1 - Subscriber Certificates - Subscriber Certificates issued after the Effective Date (1 July 2012) MUST have a Validity Period no greater than 60 months. (exceptions allowed) | * BR 9.4.1 (section 6.3.2 in BR version 1.3)- Subscriber Certificates - Subscriber Certificates issued after the Effective Date (1 July 2012) MUST have a Validity Period no greater than 60 months. (exceptions allowed) | ||
* BR Appendix A for Subscriber certs - Cryptographic Algorithm and Key Requirements (Normative) - Certificates MUST meet the following requirements for algorithm type and key size. | * BR Appendix A (section 6.1.5 in BR version 1.3) for Subscriber certs - Cryptographic Algorithm and Key Requirements (Normative) - Certificates MUST meet the following requirements for algorithm type and key size. | ||
* BR Appendix B for Subscriber certs – Certificate Extensions (Normative) - This appendix specifies the requirements for Certificate extensions for Certificates generated after the Effective Date. | * BR Appendix B (section 7.1.2 in BR version 1.3) for Subscriber certs – Certificate Extensions (Normative) - This appendix specifies the requirements for Certificate extensions for Certificates generated after the Effective Date. | ||
* The items listed in section 4 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla CA Certificate Inclusion Policy] in end-entity certificates: | * The items listed in section 4 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla CA Certificate Inclusion Policy] in end-entity certificates: | ||
** ASN.1 DER encoding errors; | ** ASN.1 DER encoding errors; | ||
| Line 150: | Line 150: | ||
Finally, there are a type of mistakes that may be found during the evaluation of a root inclusion/change request, and resolved by the CA without requiring a re-audit. If someone reports this type of mistake, then the CA must fix the mistake and provide examples to demonstrate that the problem has been resolved. Examples of this type of mistake include non-compliance with the following. | Finally, there are a type of mistakes that may be found during the evaluation of a root inclusion/change request, and resolved by the CA without requiring a re-audit. If someone reports this type of mistake, then the CA must fix the mistake and provide examples to demonstrate that the problem has been resolved. Examples of this type of mistake include non-compliance with the following. | ||
* BR 13.2.2 - Repository -- CRL and OCSP max expiration time, GET | * BR 13.2.2 (section 4.9.10 in BR version 1.3) - Repository -- CRL and OCSP max expiration time, GET | ||
* BR 3.2.5 OCSP Signing -- OCSP responses MUST conform to RFC2560 and/or RFC5019. | * BR 3.2.5 (section 4.9.9 in BR version 1.3) OCSP Signing -- OCSP responses MUST conform to RFC2560 and/or RFC5019. | ||
* [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy] section 9: all new end-entity certificates must contain at least 20 bits of unpredictable random data (preferably in the serial number). | * [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy] section 9: all new end-entity certificates must contain at least 20 bits of unpredictable random data (preferably in the serial number). | ||