CA/CertificatePolicyV2.1: Difference between revisions

Jump to navigation Jump to search

CA/CertificatePolicyV2.1 (view source)

Revision as of 23:12, 10 March 2014

168 bytes added ,  10 March 2014
m
→‎Multi-Factor Authentication and CA Hierarchy
Line 30: Line 30:
=== Multi-Factor Authentication and CA Hierarchy ===
=== Multi-Factor Authentication and CA Hierarchy ===


In item #6 of the [[CA:CertInclusionPolicyV2.1 | Inclusion Policy]] a requirement was added for CAs to enforce multi-factor authentication for all accounts capable of directly causing certificate issuance. This requirement was [[CA:Communications#September_8.2C_2011 | previously communicated,]] so all CAs are expected to already be in compliance with this requirement.  
In item #6 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] a requirement was added for CAs to enforce multi-factor authentication for all accounts capable of directly causing certificate issuance. This requirement was [[CA:Communications#September_8.2C_2011 | previously communicated,]] so all CAs are expected to already be in compliance with this requirement.  


In item #6 of the [[CA:CertInclusionPolicyV2.1 | Inclusion Policy]] a requirement was added for CAs to maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (e.g., the included certificate signs intermediate issuing certificates), as described in CA/Browser Forum Baseline Requirement (BR) #12.
In item #6 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] a requirement was added for CAs to maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (e.g., the included certificate signs intermediate issuing certificates), as described in CA/Browser Forum Baseline Requirement (BR) #12.
* This requirement and the exceptions listed in BR #12 apply to SSL/TLS, S/MIME, and Code Signing certificates.  
* This requirement and the exceptions listed in BR #12 apply to SSL/TLS, S/MIME, and Code Signing certificates.  
* Root certificates and trust anchors that are already included in NSS will be granted the time necessary to transition their existing customers to a new hierarchy. If needed, the CA shall create a new root certificate within the next year (before February 2014) and actively work to include the new root certificate in Mozilla's program and transition their customers to the new hierarchy.
* Root certificates and trust anchors that are already included in NSS will be granted the time necessary to transition their existing customers to a new hierarchy. If needed, the CA shall create a new root certificate within the next year (before February 2014) and actively work to include the new root certificate in Mozilla's program and transition their customers to the new hierarchy.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/948567"

Navigation menu