Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
Jump to navigation
Jump to search
→Which intermediate certificate data should CAs add to Salesforce?
| Line 61: | Line 61: | ||
** All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ** All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
*** Including every intermediate certificate (chaining up to a root certificate in Mozilla's program with the Websites trust bit anabled) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | *** Including every intermediate certificate (chaining up to a root certificate in Mozilla's program with the Websites trust bit anabled) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | ||
** [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|Revoked | ** [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|Revoked certificates]] certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
*** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | *** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | ||
* CAs should '''not''' add records for: | * CAs should '''not''' add records for: | ||