Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
Jump to navigation
Jump to search
→Subordinate CAs Operated by Third Parties For External Use
| Line 29: | Line 29: | ||
#* email address ownership/control | #* email address ownership/control | ||
#* digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate | #* digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate | ||
# Identify if the SSL certificates chaining up to the sub-CA | # Identify if the SSL certificates chaining up to the sub-CA are DV and/or OV. Some of the potentially problematic practices, only apply to DV certificates. | ||
#* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber. | #* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber. | ||
#* OV: Both the Organization and the ownership/control of the Domain Name are verified. | #* OV: Both the Organization and the ownership/control of the Domain Name are verified. | ||
# Review the CP/CPS for | # Review the CP/CPS for [http://wiki.mozilla.org/CA:Problematic_Practices Potentially Problematic Practices.] Provide further info when a potentially problematic practice is found. | ||
# If the root CA audit does not include this sub-CA, then for this sub-CA provide a publishable statement or letter from an auditor that meets the requirements of sections 8, 9, and 10 of our [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA certificate policy] | # If the root CA audit does not include this sub-CA, then for this sub-CA provide a publishable statement or letter from an auditor that meets the requirements of sections 8, 9, and 10 of our [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA certificate policy.] | ||
# Provide information about the CRL update frequency for end-entity certificates. There should be a statement in the CP/CPS to the effect that the CRL for end-entity certs is updated whenever a cert is revoked, and at least every 24 or 36 hours. | # Provide information about the CRL update frequency for end-entity certificates. There should be a statement in the CP/CPS that the sub-CA must follow to the effect that the CRL for end-entity certs is updated whenever a cert is revoked, and at least every 24 or 36 hours. | ||