Confirmed users, Administrators
5,526
edits
CA/Forbidden or Problematic Practices: Difference between revisions
Jump to navigation
Jump to search
m
CA/Forbidden or Problematic Practices (view source)
Revision as of 19:13, 20 November 2009
, 20 November 2009→Issuing Certificates for Internal Domains
| Line 69: | Line 69: | ||
If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions: | If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions: | ||
#Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name. | # Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name. | ||
#Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents: | # Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents: | ||
#*Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy], which states that CAs need to take reasonable measures to verify that the entity submitting the certificate signing request owns/controls the domain to be referenced in the certificate. | #* Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy], which states that CAs need to take reasonable measures to verify that the entity submitting the certificate signing request owns/controls the domain to be referenced in the certificate. | ||
#* [[CA:Recommended_Practices | #* [[CA:Recommended_Practices|Recommended practices for CAs]] | ||
Mozilla also recommends that you | Mozilla also recommends that you | ||
# Implement automated checks to signal a red flag for domains such as .int and null characters in the Common Name and subjectAlternativeName of certificates. | # Implement automated checks to signal a red flag for domains such as .int and null characters in the Common Name and subjectAlternativeName of certificates. | ||
#Track the [http://www.icann.org/en/registries/top-level-domains.htm ICANN list of TLDs] and update your procedures as necessary when new TLDs are approved. | # Track the [http://www.icann.org/en/registries/top-level-domains.htm ICANN list of TLDs] and update your procedures as necessary when new TLDs are approved. | ||
== Other considerations when updating the CA Certificate Policy == | == Other considerations when updating the CA Certificate Policy == | ||