Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
m
→Purpose of this update
| Line 3: | Line 3: | ||
== Purpose of this update == | == Purpose of this update == | ||
Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. [[CA:CertPolicyV2.1 | Version 2.1 of Mozilla's CA Certificate Policy]] encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates may not be practical in some cases, so the subordinate CA certificates that are not technically constrained will have to be audited in accordance with [ | Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. [[CA:CertPolicyV2.1 | Version 2.1 of Mozilla's CA Certificate Policy]] encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates may not be practical in some cases, so the subordinate CA certificates that are not technically constrained will have to be audited in accordance with [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and publicly disclosed. | ||
Additionally, Version 2.1 of Mozilla's CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with [https://cabforum.org/baseline-requirements-documents/ version 1.1 of the CA/Browser Forum Baseline Requirements.] The CA/Browser Forum Baseline Requirements (BRs) provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates. | Additionally, Version 2.1 of Mozilla's CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with [https://cabforum.org/baseline-requirements-documents/ version 1.1 of the CA/Browser Forum Baseline Requirements.] The CA/Browser Forum Baseline Requirements (BRs) provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates. | ||