Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
m
→Super-CAs
m (→Super-CAs) |
m (→Super-CAs) |
||
| Line 7: | Line 7: | ||
Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated: | Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated: | ||
* The Super-CA’s documented policies and audit criteria meet the requirements of [http://www.mozilla.org | * The Super-CA’s documented policies and audit criteria meet the requirements of [http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla’s CA Certificate Policy], which includes the [https://cabforum.org/baseline-requirements/ CA/Browser Forum’s Baseline Requirements], and includes sufficient information about verification practices and issuance of end-entity certificates. | ||
* The Super-CA is at all times completely accountable for their subordinate CAs, and the Super-CA ensures that all subordinate CAs demonstrably adhere to the Super-CA’s documented policies and audit criteria. | * The Super-CA is at all times completely accountable for their subordinate CAs, and the Super-CA ensures that all subordinate CAs demonstrably adhere to the Super-CA’s documented policies and audit criteria. | ||
* The Super-CA provides publicly verifiable documentation and proof of annual audits for each subordinate CA that attest to compliance with the Super-CA’s documented policies and audit criteria. | * The Super-CA provides publicly verifiable documentation and proof of annual audits for each subordinate CA that attest to compliance with the Super-CA’s documented policies and audit criteria. | ||
* The subordinate CAs do not themselves act as a Super-CA or sign a large number of [[CA:SubordinateCA_checklist#Terminology | public third-party subordinate CAs]], making it difficult for Mozilla and others to annually confirm that the full CA hierarchy is in compliance with Mozilla’s CA Certificate Policy. | * The subordinate CAs do not themselves act as a Super-CA or sign a large number of [[CA:SubordinateCA_checklist#Terminology | public third-party subordinate CAs]], making it difficult for Mozilla and others to annually confirm that the full CA hierarchy is in compliance with [http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla’s CA Certificate Policy]. | ||
== Terminology == | == Terminology == | ||