CA/Subordinate CA Checklist: Difference between revisions

Jump to navigation Jump to search

CA/Subordinate CA Checklist (view source)

Revision as of 18:47, 27 September 2021

3 bytes added ,  27 September 2021
m
→‎Required Documentation: Changed formatting and "should
(Added draft Process for Considering Externally Operated Subordinate CAs)
m (→‎Required Documentation: Changed formatting and "should)
Line 130: Line 130:
The root CA operator must submit an auditor’s key generation report for the key pair that is signed by the root CA. It is also the root CA operator’s obligation to provide audit statements for the subCA. The key generation report and relevant audit statement(s) should be uploaded to the bug in Bugzilla and referenced in the subCA’s record in the CCADB.  
The root CA operator must submit an auditor’s key generation report for the key pair that is signed by the root CA. It is also the root CA operator’s obligation to provide audit statements for the subCA. The key generation report and relevant audit statement(s) should be uploaded to the bug in Bugzilla and referenced in the subCA’s record in the CCADB.  


SubCA audits should follow the same audit rules as for root CAs. If the subCA is new, it need only supply a type-1 (point-in-time) audit statement to Mozilla prior to approval. The new subCA certificate must appear in subsequent type-2 (period-of-time) audit statements, but is not required to appear on the statements submitted to Mozilla for approval, so long as the root CA asserts that the subCA will be operated within the scope of the supplied audit statements.  For more information, see Mozilla’s Policy about Third-Party Subordinate CAs.
SubCA audits MUST follow the same audit rules as for root CAs. If the subCA is new, it need only supply a type-1 (point-in-time) audit statement to Mozilla prior to approval. The new subCA certificate must appear in subsequent type-2 (period-of-time) audit statements, but is not required to appear on the statements submitted to Mozilla for approval, so long as the root CA asserts that the subCA will be operated within the scope of the supplied audit statements.  For more information, see Mozilla’s Policy about Third-Party Subordinate CAs.


Prior to public discussion, the root CA operator must confirm that it has verified all of the following information, which must be provided when the root CA operator starts the public discussion in Mozilla’s dev-security-policy mailing list.
Prior to public discussion, the root CA operator must confirm that it has verified all of the following information, which must be provided when the root CA operator starts the public discussion in Mozilla’s dev-security-policy mailing list.


1. External Third Party’s Full Legal Name
1. External Third Party’s Full Legal Name
 
2. External Third Party’s Website URL
2. External Third Party’s Website URL
3. Expected CA hierarchy under the subCA
3. Expected CA hierarchy under the subCA
4. Audits - If the root CA audits do not include the SHA256 hash for this subCA, then provide a publishable statement or letter from an auditor that meets the requirements of Mozilla's Root Store Policy.
4. Audits - If the root CA audits do not include the SHA256 hash for this subCA, then provide a publishable statement or letter from an auditor that meets the requirements of Mozilla's Root Store Policy.
5. Links to the subCA’s current CP/CPS  
5. Links to the subCA’s current CP/CPS  
6. The CA must review the subCA’s CP/CPS for required and prohibited practices.  
6. The CA must review the subCA’s CP/CPS for required and prohibited practices.  


After a minimum of 3 weeks have passed, a Mozilla representative will announce a one-week “last call” for objections. Mozilla may determine to extend public discussion, or approve or reject the subCA.  If the subCA is approved, Mozilla will indicate in the appropriate fields of the CCADB that the public discussion process has taken place and that it has been approved as an externally operated CA. Issuance of end entity certificates from the subCA may then commence. If the subCA is rejected, then any existing subCA certificate will be added to OneCRL.
After a minimum of 3 weeks have passed, a Mozilla representative will announce a one-week “last call” for objections. Mozilla may determine to extend public discussion, or approve or reject the subCA.  If the subCA is approved, Mozilla will indicate in the appropriate fields of the CCADB that the public discussion process has taken place and that it has been approved as an externally operated CA. Issuance of end entity certificates from the subCA may then commence. If the subCA is rejected, then any existing subCA certificate will be added to OneCRL.
Bwilson
Confirmed users
377

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1238133"

Navigation menu