Confirmed users, Administrators
5,526
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
added note about OneCRL
(Removed "draft" because currently only listing existing requirements.) |
(added note about OneCRL) |
||
| Line 28: | Line 28: | ||
* Before being included and periodically thereafter, CAs MUST obtain certain audits for their root certificates and all of their intermediate certificates that are technically capable of issuing working server or email certificates. | * Before being included and periodically thereafter, CAs MUST obtain certain audits for their root certificates and all of their intermediate certificates that are technically capable of issuing working server or email certificates. | ||
* Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store. | * Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store. | ||
** Note: If a CA stops providing audit statements for a root certificate for any reason, then the certificate may be added to OneCRL in addition to being removed from Mozilla's root store. | |||
* Successive audits MUST be contiguous (no gaps). | * Successive audits MUST be contiguous (no gaps). | ||
* Point-in-time audit statements may be used to confirm that all of the problems that an auditor previously identified in a qualified audit statement have been corrected. However, a point-in-time audit does not replace the period-of-time audit. | * Point-in-time audit statements may be used to confirm that all of the problems that an auditor previously identified in a qualified audit statement have been corrected. However, a point-in-time audit does not replace the period-of-time audit. | ||