Confirmed users, Administrators
5,526
edits
CA/Communications: Difference between revisions
Jump to navigation
Jump to search
→Responses
m (→Responses) |
|||
| Line 49: | Line 49: | ||
Response Key: | Response Key: | ||
* IP = "In Progress" | * IP = "In Progress" | ||
* ? = I need further clarification on the response | * ? = I need further clarification on the response | ||
| Line 56: | Line 54: | ||
** N/A for Action #2 means that the CP/CPS does not allow for externally-operated subCAs. | ** N/A for Action #2 means that the CP/CPS does not allow for externally-operated subCAs. | ||
** N/A for Action #3 means that the CA is not issuing EV certs under the roots included in NSS. | ** N/A for Action #3 means that the CA is not issuing EV certs under the roots included in NSS. | ||
* Responses to action #1 can be one or more of the following. If option C is listed, there is also a date by which the CA plans to complete their investigation and provide further information. | |||
** A) Does not apply, because the CA does not have externally-operated subCAs chaining to roots in NSS. | |||
** B) SubCAs are technically and/or contractually restricted to only issue certificates to domains that they legitimately own or control, and they are specifically not allowed to use their subordinate certificates for the purpose of MITM. | |||
** C) We are reviewing all of our subCAs and will take the necessary action by <date>. | |||
** D) We have revoked such subCA certificates, and here is the requested information. | |||
** E) SubCAs are publicly disclosed to Mozilla, audited by a competent party (per Mozilla’s CA Certificate Policy) whose audit result has been publicly disclosed to Mozilla, and technically and/or contractually restricted to issue certificates in full compliance with Mozilla's CA Certificate Policy. SubCAs are specifically not allowed to use their subordinate certificates for the purpose of MITM. | |||
=== September 8, 2011 === | === September 8, 2011 === | ||