Confirmed users, Administrators
5,526
edits
CA/Required or Recommended Practices: Difference between revisions
CA/Required or Recommended Practices (view source)
Revision as of 16:48, 23 October 2018
, 23 October 2018Changed 'must' to 'should' to avoid setting new requirements in this section -- new requirements should be introduced as policy updates
(Added warning that future policy may forbid the use of 'No Stipulation'. Also added another example.) |
(Changed 'must' to 'should' to avoid setting new requirements in this section -- new requirements should be introduced as policy updates) |
||
| Line 31: | Line 31: | ||
** Note that Mozilla's root store policy may be updated soon to forbid the use of "No Stipulation" in CP/CPS documents. | ** Note that Mozilla's root store policy may be updated soon to forbid the use of "No Stipulation" in CP/CPS documents. | ||
* The words "''Not applicable''" are acceptable to indicate that the CA’s policies forbid the practice that is the title of the section. Language similar to “We do not perform <subject of the section>” is preferred. | * The words "''Not applicable''" are acceptable to indicate that the CA’s policies forbid the practice that is the title of the section. Language similar to “We do not perform <subject of the section>” is preferred. | ||
* Sections | * Sections should not be left blank. The purpose of "No Stipulation" is to make it clear that the omission of content was intentional. | ||
** Note that Mozilla's root store policy may be updated soon to forbid blank sections in CP/CPS documents. | |||
* If a full description of a section is repeated elsewhere in the document, language similar to “Refer to Section 1.2.3” is preferred. Cross-referencing between CP and CPS documents is acceptable as long as both documents are published on your CA's website, and the CP and CPS documents clearly indicate which root certificates they govern. | * If a full description of a section is repeated elsewhere in the document, language similar to “Refer to Section 1.2.3” is preferred. Cross-referencing between CP and CPS documents is acceptable as long as both documents are published on your CA's website, and the CP and CPS documents clearly indicate which root certificates they govern. | ||
| Line 37: | Line 38: | ||
* If your CA does not allow a particular domain validation method to be used, then the CP or CPS should say that, e.g. "This method of domain validation is not used". | * If your CA does not allow a particular domain validation method to be used, then the CP or CPS should say that, e.g. "This method of domain validation is not used". | ||
* If your CP delegates requirements to one or more CPSs, then the CP should state "Refer to CPS". | * If your CP delegates requirements to one or more CPSs, then the CP should state "Refer to CPS". | ||
* The BRs do not allow certificate suspension, so the CA’s CPS | * The BRs do not allow certificate suspension, so the CA’s CPS should state that certificate suspension is not allowed for SSL certs, and then the other sections related to suspension should say “Not applicable”. | ||
* If your CA does not issue SSL certs containing IP addresses, then section 3.2.2.5, ‘Authentication for an IP Address’ in your CP or CPS should say that such certificate issuance is not allowed; e.g. “No IP address certificates are issued under this CPS.” | * If your CA does not issue SSL certs containing IP addresses, then section 3.2.2.5, ‘Authentication for an IP Address’ in your CP or CPS should say that such certificate issuance is not allowed; e.g. “No IP address certificates are issued under this CPS.” | ||
* If your CP contains the full description of section 5, then the CPS may say "As stipulated in section 5 of the CP". (This assumes that the CP is also published on your website, and the CP and CPS documents clearly indicate which root certificates they govern.) | * If your CP contains the full description of section 5, then the CPS may say "As stipulated in section 5 of the CP". (This assumes that the CP is also published on your website, and the CP and CPS documents clearly indicate which root certificates they govern.) | ||