Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
m
→Terminology
m (→Terminology) |
m (→Terminology) |
||
| Line 29: | Line 29: | ||
#** Note: Mozilla is investigating ways to programmatically ensure that these types of sub-CAs are only able to issue certificates within their domain. | #** Note: Mozilla is investigating ways to programmatically ensure that these types of sub-CAs are only able to issue certificates within their domain. | ||
#* Please see the [[CA:SubordinateCA_checklist#Third-Party_Private_(or_Enterprise)_Subordinate_CAs|section below]] which outlines the additional information that must be provided for third-party private (or enterprise) subordinate CAs. | #* Please see the [[CA:SubordinateCA_checklist#Third-Party_Private_(or_Enterprise)_Subordinate_CAs|section below]] which outlines the additional information that must be provided for third-party private (or enterprise) subordinate CAs. | ||
'''Recommended:''' Root certificate authorities should use a separate and distinct root to sign third-party private subordinate certificates and such roots should not be submitted for inclusion in the NSS database. Then if the owner of the subordinate certificate later decides to create a profit center and start signing site certificates of unaffiliated entities, those site certificates will not chain back up to a root in the NSS database. With a separate and distinct root not submitted for inclusion in the NSS database, there would be no need to disclose any information about those third-party private subordinate certificates. | |||
== Third-Party Private (or Enterprise) Subordinate CAs == | == Third-Party Private (or Enterprise) Subordinate CAs == | ||