Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
m
→Frequently Asked Questions
| Line 71: | Line 71: | ||
#* A subordinate CA certificate that transitively chains to an included trust anchor that has the Code Signing and/or websites (SSL/TLS) trust bit(s) enabled must '''either''' include an EKU extension and constraints as per item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy], '''or''' must be audited and publicly disclosed as per item #10 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | #* A subordinate CA certificate that transitively chains to an included trust anchor that has the Code Signing and/or websites (SSL/TLS) trust bit(s) enabled must '''either''' include an EKU extension and constraints as per item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy], '''or''' must be audited and publicly disclosed as per item #10 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
# The transition of some subordinate CAs to Technical Constraints (as per #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]) has been accomplished by creating a new CA hierarchy, so the old subordinate CA certificate remains in 'CRL/OCSP only' mode until all certificates in the old hierarchy have expired. Do we need to disclose the old subordinate CA certificates that are being phased out and are in 'CRL/OCSP only' mode? | # The transition of some subordinate CAs to Technical Constraints (as per #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]) has been accomplished by creating a new CA hierarchy, so the old subordinate CA certificate remains in 'CRL/OCSP only' mode until all certificates in the old hierarchy have expired. Do we need to disclose the old subordinate CA certificates that are being phased out and are in 'CRL/OCSP only' mode? | ||
#* For each subordinate CA certificate that is being phased out and is in 'CRL/OCSP only' mode, please provide the following information: Name of SubCA (optional), SubCA Cert Hash (SHA1), SubCA Cert Key Id Hash (SHA1), SubCA Cert Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert Issuance, Date of Last Cert Expiration. | #* For each subordinate CA certificate that is being phased out and is in 'CRL/OCSP only' mode, please provide the following information: Name of SubCA (optional), SubCA Cert Hash (SHA1 or SHA256), SubCA Cert Key Id Hash (SHA1 or SHA256), SubCA Cert Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert Issuance, Date of Last Cert Expiration. | ||