Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
→Time Frames for included CAs to comply with the new policy
| Line 13: | Line 13: | ||
Certificates issued before February 15, 2013, must at least meet the requirements of [http://www.mozilla.org/projects/security/certs/policy/ Version 2.0 of Mozilla's CA Certificate Policy.] | Certificates issued before February 15, 2013, must at least meet the requirements of [http://www.mozilla.org/projects/security/certs/policy/ Version 2.0 of Mozilla's CA Certificate Policy.] | ||
Any Certificate Authority requesting root inclusion after February 15, 2013 must comply with [http://www.mozilla.org/projects/security/certs/policy | Any Certificate Authority requesting root inclusion after February 15, 2013 must comply with [http://www.mozilla.org/projects/security/certs/policy Version 2.1 of Mozilla's CA Certificate Policy.] | ||
CAs that were already included in Mozilla's program as of February 15, 2013 shall comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy | CAs that were already included in Mozilla's program as of February 15, 2013 shall comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] as follows. Audits performed after the dates listed below should confirm the CA's compliance with the new policy. | ||
=== Audit Criteria === | === Audit Criteria === | ||
[http://www.mozilla.org/projects/security/certs/policy | [http://www.mozilla.org/projects/security/certs/policy/ Version 2.1 of Mozilla's CA Certificate Policy] adds the requirement that SSL certificate issuance also be audited according to the CA/Browser Forum's Baseline Requirements. CAs with a root certificate that has the websites (SSL/TLS) trust bit enabled in Mozilla's CA Certificate Program shall have their SSL certificate issuance and operations audited according to the Baseline Requirements between February 15, 2013, and February 15, 2014. | ||
Audits performed for audit periods commencing before February 15, 2013, must be performed at least according to the criteria listed in [http://www.mozilla.org/projects/security/certs/policy/ Version 2.0 of Mozilla's CA Certificate Policy.] Additionally, if SSL certificates are issued, audits performed for audit periods commencing before February 15, 2013, must also be performed according to the Baseline Requirements audit criteria (WebTrust SSL Baseline Requirements Audit Criteria V.1.1, or ETSI TS 102 042 V2.3.1 DVCP and OVCP) as to CA operations occurring on or after February 15, 2013. If the Baseline Requirements audit would only apply to 120 days or less, then a Point in Time audit may be performed. At the CA's option, the Baseline Requirements audit may cover the entire audit period. | Audits performed for audit periods commencing before February 15, 2013, must be performed at least according to the criteria listed in [http://www.mozilla.org/projects/security/certs/policy/ Version 2.0 of Mozilla's CA Certificate Policy.] Additionally, if SSL certificates are issued, audits performed for audit periods commencing before February 15, 2013, must also be performed according to the Baseline Requirements audit criteria (WebTrust SSL Baseline Requirements Audit Criteria V.1.1, or ETSI TS 102 042 V2.3.1 DVCP and OVCP) as to CA operations occurring on or after February 15, 2013. If the Baseline Requirements audit would only apply to 120 days or less, then a Point in Time audit may be performed. At the CA's option, the Baseline Requirements audit may cover the entire audit period. | ||
Audits performed for audit periods commencing on or after February 15, 2013, must be performed according to the criteria listed in [http://www.mozilla.org/projects/security/certs/policy | Audits performed for audit periods commencing on or after February 15, 2013, must be performed according to the criteria listed in [http://www.mozilla.org/projects/security/certs/policy/ Version 2.1 of Mozilla's CA Certificate Policy] as to all CA operations during the audit period. | ||
=== Multi-Factor Authentication and CA Hierarchy === | === Multi-Factor Authentication and CA Hierarchy === | ||
| Line 37: | Line 37: | ||
Items #8, 9, and 10 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] describe how intermediate certificates must either be technically constrained '''or''' audited and disclosed. | Items #8, 9, and 10 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] describe how intermediate certificates must either be technically constrained '''or''' audited and disclosed. | ||
* All subordinate CA certificates that are issued after May 15, 2013 must comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy | * All subordinate CA certificates that are issued after May 15, 2013 must comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] | ||
* All pre-existing subordinate CA certificates must be updated to comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy | * All pre-existing subordinate CA certificates must be updated to comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] for new certificate issuance by May 15, 2014. | ||
* All certificates that are capable of being used to issue new certificates must comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] for new certificate issuance by May 15, 2014. | * All certificates that are capable of being used to issue new certificates must comply with version 2.1 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] for new certificate issuance by May 15, 2014. | ||