CA/Subordinate CA Checklist: Difference between revisions

CA/Subordinate CA Checklist (view source)

217 bytes added , 2 June 2010

Confirmed users, Administrators

5,526

edits

@@ Line 27: / Line 27: @@
 #* These sub-CAs are not functioning as public CAs, so typical Mozilla users would not encounter certificates issued by these sub-CAs in their normal activities.
 #* For these sub-CAs we need assurance that they are not going to start functioning as public CAs. Currently the only assurances available for this case it to ensure that these third parties are required to follow practices that satisfy the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy,] and that these third parties are under an acceptable audit regime.
-#** Note: Mozilla is investigating ways to programmatically ensure that these types of sub-CAs are only able to issue certificates within their domain.
+#** In [https://bugzilla.mozilla.org/show_bug.cgi?id=394919 Bug #394919] NSS is being updated to apply dNSName constraints on the CN, in addition to the SANs.
+#** We plan to update our policy to require CAs to constrain third-party private (or enterprise) subordinate CAs so they can only issue certificates within a specified domain. See section 4.2.1.10 of RFC 5280.
 #* Please see the [[CA:SubordinateCA_checklist#Third-Party_Private_(or_Enterprise)_Subordinate_CAs|section below]] which outlines the additional information that must be provided for third-party private (or enterprise) subordinate CAs.