Confirmed users
377
edits
CA/Subordinate CA Checklist: Difference between revisions
→Non-disclosable Intermediate Certificates: Added clarification that other root store policies and CCADB may require disclosure.
(→Non-disclosable Intermediate Certificates: Added clarification that other root store policies and CCADB may require disclosure.) |
|||
| (27 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. This wiki page outlines subordinate CA information that needs to be provided by the root CA organization, and evaluated by the Mozilla community. | In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. This wiki page outlines subordinate CA information that needs to be provided by the root CA organization, and evaluated by the Mozilla community. | ||
[ | [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla’s Root Store Policy] encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s Root Store Policy. | ||
== Super-CAs == | |||
Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their (first-level) subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated: | |||
* The Super-CA’s documented policies and audit criteria meet the requirements of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#3-documentation Mozilla’s Root Store Policy], which includes the [https://cabforum.org/baseline-requirements/ CA/Browser Forum’s Baseline Requirements], and includes sufficient information about verification practices and issuance of end-entity certificates. | |||
* The Super-CA is at all times completely accountable for their subordinate CAs, and the Super-CA ensures that all subordinate CAs demonstrably adhere to the Super-CA’s documented policies and audit criteria. | |||
* The Super-CA provides publicly verifiable documentation and proof of annual audits for each subordinate CA that attest to compliance with the Super-CA’s documented policies and audit criteria. | |||
* The subordinate CAs do not themselves act as a Super-CA or sign a large number of [[CA:SubordinateCA_checklist#Terminology | public third-party subordinate CAs]], making it difficult for Mozilla and others to annually confirm that the full CA hierarchy is in compliance with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla’s Root Store Policy]. | |||
== Terminology == | == Terminology == | ||
| Line 20: | Line 26: | ||
== CA Policies about Subordinate CAs == | == CA Policies about Third-Party Subordinate CAs == | ||
If a CA's policies allow the CA to have subordinate CAs that are operated by third parties, then the following information must be provided. | If a CA's policies allow the CA to have subordinate CAs that are operated by third parties, then the following information must be provided. | ||
| Line 31: | Line 37: | ||
# The CP/CPS that the sub-CAs are required to follow. | # The CP/CPS that the sub-CAs are required to follow. | ||
# Requirements (technical and contractual) for sub-CAs in regards to whether or not sub-CAs are constrained to issue certificates only within certain domains, and whether or not sub-CAs can create their own subordinates. | # Requirements (technical and contractual) for sub-CAs in regards to whether or not sub-CAs are constrained to issue certificates only within certain domains, and whether or not sub-CAs can create their own subordinates. | ||
# Requirements ( | #* Section 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla's Root Store Policy] | ||
#* The CA/Browser Forum's [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements] | |||
# Requirements (documented in the CP or CPS) for sub-CAs to take required and reasonable measures to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root. | |||
#* domain ownership/control | #* domain ownership/control | ||
#* email address ownership/control | #* email address ownership/control | ||
# Description of audit requirements for sub-CAs (needs to be documented in the CP or CPS) | |||
# Description of audit requirements for sub-CAs ( | |||
#*Whether or not the root CA audit includes the sub-CAs. | #*Whether or not the root CA audit includes the sub-CAs. | ||
#*Who can perform the audits for sub-CAs. | #*Who can perform the audits for sub-CAs. | ||
#*Frequency of the audits for sub-CAs. | #*Frequency of the audits for sub-CAs. | ||
== Third-Party Subordinate CAs that are not Technically Constrained == | |||
All certificates that are capable of being used to issue new certificates, that are not technically constrained as described in section 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla's Root Store Policy], and that directly or transitively chain to a certificate included in Mozilla's CA Certificate Program MUST be audited in accordance with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#3-documentation Mozilla's Root Store Policy] and MUST be publicly disclosed by the CA that has their certificate included in Mozilla's CA Certificate Program. | |||
In addition to the information listed above, the CA must provide the following information for each third-party subordinate CA certificate that is not technically constrained. | |||
In addition to the information listed above, the CA must provide the following information for each subordinate CA certificate that is not technically constrained | |||
# Sub-CA Company Name | # Sub-CA Company Name | ||
| Line 53: | Line 59: | ||
# General CA hierarchy under the sub-CA. | # General CA hierarchy under the sub-CA. | ||
# Sub-CA CP/CPS Links | # Sub-CA CP/CPS Links | ||
# The section numbers and text (in English) in the CP/CPS that demonstrate that reasonable measures are taken to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root | # The section numbers and text (in English) in the CP/CPS that demonstrate that required and reasonable measures are taken to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root. | ||
#* domain ownership/control | #* domain ownership/control | ||
#* email address ownership/control | #* email address ownership/control | ||
# Identify if the SSL certificates chaining up to the sub-CA are DV, OV, and/or EV. | # Identify if the SSL certificates chaining up to the sub-CA are DV, OV, and/or EV. | ||
#* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber. | #* DV: Organization attribute is not verified. Only the Domain Name referenced in the certificate is verified to be owned/controlled by the subscriber. | ||
#* OV: Both the Organization and the ownership/control of the Domain Name are verified. | #* OV: Both the Organization and the ownership/control of the Domain Name are verified. | ||
#* EV: Extended validation was performed on the legal entity and its operational existence. | |||
# Review the CP/CPS for [http://wiki.mozilla.org/CA:Problematic_Practices Potentially Problematic Practices.] Provide further info when a potentially problematic practice is found. | # Review the CP/CPS for [http://wiki.mozilla.org/CA:Problematic_Practices Potentially Problematic Practices.] Provide further info when a potentially problematic practice is found. | ||
# If the root CA | # If the root CA audits do not include this sub-CA, then for this sub-CA provide a publishable statement or letter from an auditor that meets the requirements of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#3-documentation Mozilla's Root Store Policy.] | ||
== Non-disclosable Intermediate Certificates == | |||
In order to best ensure the safety and security of Mozilla users, Mozilla has a single consistent [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy policy] that describes the expectations for all CAs that will be trusted within its program. Mozilla requires that all participating root CAs fully disclose their hierarchy, including CP, CPS, and audits, when said hierarchy is capable of issuance. | |||
If you have intermediate certificates for which you cannot disclose this information, whether it be for personal, operational, or legal reasons, then an appropriate solution, consistent with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla Root Store Policy], is to use Technically Constrained Subordinate CAs (TCSCAs) - as defined within the CA/Browser Forum's Baseline Requirements and as reflected within Mozilla's policy. Such TCSCAs are technically limited from the issuance of TLS server or email certificates. For example, if these subCAs are not used for the production of TLS/SSL or email certificates, then you can make use of the Extended Key Usage extension on the sub-CA to ensure it is present, and that it *lacks* the id-kp-serverAuth, id-kp-emailProtection, and anyExtendedKeyUsage extensions. (CAVEAT: Public disclosure in the CCADB might still be required by other root store programs. See [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy].) | |||
Alternatively, you can consider restructuring a CA hierarchy such that you have | |||
:::/-Private Sub CA 1 | |||
::/--Private Sub CA 2 | |||
:Root | |||
::\ | |||
:::\-BR-compliant Public Intermediate {This is the cert you would request Mozilla include as a Trust Anchor.} | |||
::::\ | |||
:::::\----BR-compliant SubCA1 | |||
::::::\---BR-compliant SubCA2 | |||
:::::::\--BR-compliant SubCA3 | |||
That is, in this structure, an additional intermediate is inserted into your PKI which distinguishes the "private" (confidential) sub-CAs, and the publicly audited, publicly disclosed set of sub-CAs. In this scenario, rather than all chaining directly to the Root, they transit a newly introduced intermediate. It is this newly introduced intermediate that you would 'apply' for inclusion to Mozilla as the root, even if operationally, your government might use and rely on "Root" for the broader purpose of digital signature identification or operational management. | |||
The point of this is that Mozilla Policy requires that all nodes signed by the trust anchor (using the RFC5280 terminology, since it doesn't need to be a self-signed cert), whether it's 'root' or 'BR-compliant Public Intermediate', MUST be operated and disclosed in a way consistent with Mozilla Policy. If you have a 'private' PKI (even if it's publicly operated for the benefit of citizens and/or customers), then it MUST be a sibling-or-parent node in the PKI tree, and MUST NOT be a child node. | |||