Confirmed users
377
edits
CA/Required or Recommended Practices: Difference between revisions
CA/Required or Recommended Practices (view source)
Revision as of 23:28, 22 April 2021
, 22 April 2021Edits based on MRSP v. 2.7.1
(→CP/CPS Documents will be Reviewed!: Added HARICA EV Review) |
(Edits based on MRSP v. 2.7.1) |
||
| Line 11: | Line 11: | ||
* The format of the CP/CPS document must be PDF or another suitable format for reading documents. CAs should ''not'' use Microsoft Word or other formats intended primarily for editable documents. | * The format of the CP/CPS document must be PDF or another suitable format for reading documents. CAs should ''not'' use Microsoft Word or other formats intended primarily for editable documents. | ||
* The CP/CPS must be available in an English version. The non-English version may be authoritative (as that's the working language of the CA) but the CA is responsible for ensuring that the translation is not materially different from the authoritative version of the document. | * The CP/CPS must be available in an English version. The non-English version may be authoritative (as that's the working language of the CA) but the CA is responsible for ensuring that the translation is not materially different from the authoritative version of the document. | ||
* As part of the inclusion process and the Baseline Requirements | * As part of the inclusion process and the [https://wiki.mozilla.org/CA/BR_Self-Assessment Baseline Requirements Self-Assessment], CAs must provide references to the CP/CPS sections (e.g., by section number and/or page number) that address the requirements of Mozilla policy and the Baseline Requirements. | ||
===== CP/CPS Revision Table ===== | ===== CP/CPS Revision Table ===== | ||
| Line 110: | Line 110: | ||
=== Audit Criteria === | === Audit Criteria === | ||
CAs must supply evidence of their being evaluated according to one or more of | CAs must supply evidence of their being evaluated according to one or more of the Mozilla policy's [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#311-audit-criteria acceptable audit criteria]. | ||
* The CA must indicate exactly which criteria they are being evaluated against (i.e., which of the criteria listed in the Mozilla policy). | * The CA must indicate exactly which criteria they are being evaluated against (i.e., which of the criteria listed in the Mozilla policy). | ||
| Line 118: | Line 118: | ||
==== Complete Audit History ==== | ==== Complete Audit History ==== | ||
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#71-inclusions Mozilla's Root Store Policy] states: "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." To meet this requirement CAs must provide public-facing audit statements for all of the audits that have been conducted from the time of | [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#71-inclusions Mozilla's Root Store Policy] states: "Before being included, CAs MUST provide evidence that their CA certificates fully comply with the current Mozilla Root Store Requirements and Baseline Requirements, and have continually, from the time of CA private key creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." To meet this requirement CAs must provide public-facing audit statements for all of the audits that have been conducted from the time of CA key creation, for both the root and the non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the hierarchy. This includes: | ||
* Root key generation report | * Root key generation report | ||
* Any Point in time audits | * Any Point in time audits | ||
| Line 204: | Line 204: | ||
=== Network Security Controls === | === Network Security Controls === | ||
CAs must maintain current best practices for network security, and have qualified network security audits performed on a regular basis. The [https://www.cabforum.org/ CA/Browser Forum] has published a document called [https:// | CAs must maintain current best practices for network security, and have qualified network security audits performed on a regular basis. The [https://www.cabforum.org/ CA/Browser Forum] has published a document called [https://cabforum.org/network-security-requirements/ Network and Certificate System Security Requirements] which should be used as guidance for protecting network and supporting systems. | ||
It is expected that CAs do the following on a regular basis: | It is expected that CAs do the following on a regular basis: | ||
* Maintain network security controls that meet the [https:// | * Maintain network security controls that meet the [https://cabforum.org/network-security-requirements/ Network and Certificate System Security Requirements.] | ||
* Check for mis-issuance of certificates, especially for high-profile domains. | * Check for mis-issuance of certificates, especially for high-profile domains. | ||
* Review network infrastructure, monitoring, passwords, etc. for signs of intrusion or weakness. | * Review network infrastructure, monitoring, passwords, etc. for signs of intrusion or weakness. | ||