CA/Subordinate CA Checklist: Difference between revisions

Jump to navigation Jump to search

CA/Subordinate CA Checklist (view source)

Revision as of 00:18, 25 October 2013

895 bytes removed ,  25 October 2013
m
→‎Subordinate CAs that are not Technically Constrained
Line 47: Line 47:
# Sub-CA Corporate URL
# Sub-CA Corporate URL
# Sub-CA cert download URL
# Sub-CA cert download URL
# URL to a test website whose SSL certificate chains up to this Sub-CA's certificate (if this Sub-CA is allowed to issue SSL certificates)
# General CA hierarchy under the sub-CA.
# General CA hierarchy under the sub-CA.
# Sub-CA CP/CPS Links
# Sub-CA CP/CPS Links
Line 53: Line 54:
#* email address ownership/control  
#* email address ownership/control  
#* digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate  
#* digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate  
# Identify if the SSL certificates chaining up to the sub-CA are DV and/or OV. Some of the potentially problematic practices, only apply to DV certificates.  
# Identify if the SSL certificates chaining up to the sub-CA are DV, OV, and/or EV.  
#* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber.  
#* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber.  
#* OV: Both the Organization and the ownership/control of the Domain Name are verified.  
#* OV: Both the Organization and the ownership/control of the Domain Name are verified.  
# Review the CP/CPS for [http://wiki.mozilla.org/CA:Problematic_Practices Potentially Problematic Practices.] Provide further info when a potentially problematic practice is found.
# Review the CP/CPS for [http://wiki.mozilla.org/CA:Problematic_Practices Potentially Problematic Practices.] Provide further info when a potentially problematic practice is found.
# If the root CA audit does not include this sub-CA, then for this sub-CA provide a publishable statement or letter from an auditor that meets the requirements of sections 11, 12, 13, and 14 of [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Inclusion policy.]
# If the root CA audit does not include this sub-CA, then for this sub-CA provide a publishable statement or letter from an auditor that meets the requirements of sections 11, 12, 13, and 14 of [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Inclusion policy.]
# Provide information about the CRL update frequency for end-entity certificates. There should be a statement in the CP/CPS that the sub-CA must follow to the effect that the CRL for end-entity certs is updated whenever a cert is revoked, and at least every 24 or 36 hours.
# If this sub-CA provides OCSP, then a test must be done to make sure that their OCSP responder works within the Firefox browser. Provide the url to a website whose SSL cert chains up to this sub-CA and has the AIA extension referencing the OCSP responder. The Mozilla representative will perform the following check:
#* Enforce OCSP in Firefox:  Tools->Options…->Advanced->Encryption->Validation
#* Select the box for “When an OCSP server connection fails, treat the certificate as invalid”
#* Browse to the given url. Ensure that the website loads without error into Firefox, and that it's SSL cert chains up to the sub-CA and references the OCSP responder in the AIA extension.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/736700"

Navigation menu