CA/Subordinate CA Checklist: Difference between revisions

Jump to navigation Jump to search
→‎Non-disclosable Intermediate Certificates: Added clarification that other root store policies and CCADB may require disclosure.
(→‎Non-disclosable Intermediate Certificates: Added clarification that other root store policies and CCADB may require disclosure.)
 
(6 intermediate revisions by 2 users not shown)
Line 72: Line 72:
In order to best ensure the safety and security of Mozilla users, Mozilla has a single consistent [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy policy] that describes the expectations for all CAs that will be trusted within its program. Mozilla requires that all participating root CAs fully disclose their hierarchy, including CP, CPS, and audits, when said hierarchy is capable of issuance.
In order to best ensure the safety and security of Mozilla users, Mozilla has a single consistent [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy policy] that describes the expectations for all CAs that will be trusted within its program. Mozilla requires that all participating root CAs fully disclose their hierarchy, including CP, CPS, and audits, when said hierarchy is capable of issuance.


If you have intermediate certificates for which you cannot disclose this information, whether it be for personal, operational, or legal reasons, then an appropriate solution, consistent with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla Root Store Policy], is to use Technically Constrained Subordinate CAs (TCSCAs) - as defined within the CA/Browser Forum's Baseline Requirements and as reflected within Mozilla's policy. Such TCSCAs are technically limited from the issuance of TLS/SSL certificates, and by doing so, are allowed to be operated without [https://www.ccadb.org/cas/intermediates full public disclosure of their CP, CPS, and audit documentation].
If you have intermediate certificates for which you cannot disclose this information, whether it be for personal, operational, or legal reasons, then an appropriate solution, consistent with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla Root Store Policy], is to use Technically Constrained Subordinate CAs (TCSCAs) - as defined within the CA/Browser Forum's Baseline Requirements and as reflected within Mozilla's policy. Such TCSCAs are technically limited from the issuance of TLS server or email certificates. For example, if these subCAs are not used for the production of TLS/SSL or email certificates, then you can make use of the Extended Key Usage extension on the sub-CA to ensure it is present, and that it *lacks* the id-kp-serverAuth, id-kp-emailProtection, and anyExtendedKeyUsage extensions. (CAVEAT: Public disclosure in the CCADB might still be required by other root store programs. See [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy].)
 
For example, if these subCAs are not used for the production of TLS/SSL certificates, but only identity certificates, then you can make use of the Extended Key Usage extension on the sub-CA to ensure it is present, and that it *lacks* the id-kp-serverAuth and anyExtendedKeyUsage extensions.


Alternatively, you can consider restructuring a CA hierarchy such that you have
Alternatively, you can consider restructuring a CA hierarchy such that you have
Confirmed users
377

edits

Navigation menu