Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
→Subordinate CA Checklist
| Line 2: | Line 2: | ||
In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. This wiki page outlines subordinate CA information that needs to be provided by the root CA organization, and evaluated by the Mozilla community. | In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. This wiki page outlines subordinate CA information that needs to be provided by the root CA organization, and evaluated by the Mozilla community. | ||
[http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla’s CA Certificate Policy] (sections 8, 9, and 10) encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy. | |||
In the situation where the root CA functions as a super CA such that their CA policies don't apply to the subordinate CAs (including auditing), then the root CA should not be considered for inclusion. Rather, the subordinate CAs may apply for inclusion themselves, as separate trust anchors. | In the situation where the root CA functions as a super CA such that their CA policies don't apply to the subordinate CAs (including auditing), then the root CA should not be considered for inclusion. Rather, the subordinate CAs may apply for inclusion themselves, as separate trust anchors. | ||
| Line 19: | Line 19: | ||
Root certificate authorities should use a separate and distinct root to sign third-party private subordinate CAs, and such roots should not be submitted for inclusion in NSS. Then if the owner of the subordinate CA later decides to create a profit center and start signing site certificates of unaffiliated entities, those site certificates will not chain back up to a root in NSS. With a separate and distinct root not submitted for inclusion in NSS, there would be no need to disclose any information about those third-party private subordinate CAs. | Root certificate authorities should use a separate and distinct root to sign third-party private subordinate CAs, and such roots should not be submitted for inclusion in NSS. Then if the owner of the subordinate CA later decides to create a profit center and start signing site certificates of unaffiliated entities, those site certificates will not chain back up to a root in NSS. With a separate and distinct root not submitted for inclusion in NSS, there would be no need to disclose any information about those third-party private subordinate CAs. | ||
== CA Policies about Subordinate CAs == | |||
If a CA's policies allow the CA to have subordinate CAs that are operated by third parties, then the following information must be provided. | If a CA's policies allow the CA to have subordinate CAs that are operated by third parties, then the following information must be provided. | ||
| Line 41: | Line 40: | ||
#*Frequency of the audits for sub-CAs. | #*Frequency of the audits for sub-CAs. | ||
== Subordinate CAs that are not Technically Constrained == | |||
All certificates that are capable of being used to issue new certificates, that are not technically constrained as described in item #9 of [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Inclusion Policy], and that directly or transitively chain to a certificate included in Mozilla's CA Certificate Program MUST be audited in accordance with [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Policy] and MUST be publicly disclosed by the CA that has their certificate included in Mozilla's CA Certificate Program. | |||
In addition to the information listed above, the CA must provide the following information for each subordinate CA certificate that is not technically constrained as described in item #9 of [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Inclusion Policy]. | In addition to the information listed above, the CA must provide the following information for each subordinate CA certificate that is not technically constrained as described in item #9 of [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla's CA Certificate Inclusion Policy]. | ||