Confirmed users, Administrators
5,526
edits
CA/CertPolicyUpdatesDrafts: Difference between revisions
m
→Draft from March 2012 to June 2012
mNo edit summary |
|||
| Line 12: | Line 12: | ||
-- | -- | ||
== Draft from March 2012 to | == Draft from March 2012 to May 2012 == | ||
* 9. Each externally-operated subordinate CA must '''either''' be audited in accordance with Mozilla's CA Certificate Policy '''or''' be technically constrained. Any external third party that can directly cause the issuance of a certificate must be treated as an externally-operated subordinate CA. All externally-operated subordinate CA certificates must include pathLenConstraint in the Basic Constraints extension, and the path length must be consistent with the contract between the CA and the subordinate CA. | * 9. Each externally-operated subordinate CA must '''either''' be audited in accordance with Mozilla's CA Certificate Policy '''or''' be technically constrained. Any external third party that can directly cause the issuance of a certificate must be treated as an externally-operated subordinate CA. All externally-operated subordinate CA certificates must include pathLenConstraint in the Basic Constraints extension, and the path length must be consistent with the contract between the CA and the subordinate CA. | ||
** Each externally-operated subordinate CA that is not technically constrained must be publicly disclosed, along with the subordinate CA's corresponding Certificate Policy or Certification Practice Statement and public attestation of the subordinate CA's conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations. The subordinate CA's certificate verification requirements and operational criteria must satisfy the requirements of Mozilla's CA Certificate Policy. The CA's Certificate Policy or Certification Practice Statement must indicate where the list of publicly disclosed subordinate CAs may be found on the CA's website. | ** Each externally-operated subordinate CA that is not technically constrained must be publicly disclosed, along with the subordinate CA's corresponding Certificate Policy or Certification Practice Statement and public attestation of the subordinate CA's conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations. The subordinate CA's certificate verification requirements and operational criteria must satisfy the requirements of Mozilla's CA Certificate Policy. The CA's Certificate Policy or Certification Practice Statement must indicate where the list of publicly disclosed subordinate CAs may be found on the CA's website. | ||