Confirmed users, Administrators
5,526
edits
CA/Information Checklist: Difference between revisions
Updated audit criteria
m (RecationChecker information) |
(Updated audit criteria) |
||
| Line 164: | Line 164: | ||
#* The publicly accessible URLs to the published document(s) relating to independent audit(s) of the root CA and any CAs within the hierarchy rooted at the root. For example, for WebTrust for CAs audits this would be the "audit report and management assertions" document available from the webtrust.org site or elsewhere. | #* The publicly accessible URLs to the published document(s) relating to independent audit(s) of the root CA and any CAs within the hierarchy rooted at the root. For example, for WebTrust for CAs audits this would be the "audit report and management assertions" document available from the webtrust.org site or elsewhere. | ||
#** Section 6 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]: "We require that all CAs whose certificates are distributed with our software products: ... provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations." | #** Section 6 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]: "We require that all CAs whose certificates are distributed with our software products: ... provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations." | ||
#* We need a publishable (non-confidential) statement or letter from an auditor (who meets the requirements of the Mozilla CA Certificate Policy) that states that they have reviewed the practices as outlined in the CP/CPS for these roots, and that the CA does indeed follow these practices and meets the requirements of one of: | #* We need a publishable (non-confidential) statement or letter from an auditor (who meets the requirements of the Mozilla CA Certificate Policy) that states that they have reviewed the practices as outlined in the CP/CPS for these roots and their CA hierarchies, and that the CA does indeed follow these practices and meets the requirements of one or more of: | ||
#** ETSI TS 101 456 V1.4.3 or later (only applicable to | #** WebTrust "Principles and Criteria for Certification Authorities 2.0" or later and "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0" or later (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities; | ||
#** ETSI TS 102 042 V2.3.1 or later | #** WebTrust "Principles and Criteria for Certification Authorities - Extended Validation SSL 1.4.5” or later in WebTrust Program for Certification Authorities; | ||
#** | #** "Requirements on CA practice", in ETSI TS 101 456 V1.4.3 or later version, Policy requirements for certification authorities issuing qualified certificates (only applicable to electronic signature certificate issuance; applicable to either the "QCP public" or "QCP public + SSCD" certificate policies); | ||
#** | #** "Requirements on CA practice", in ETSI TS 102 042 V2.3.1 or later version, Policy requirements for certification authorities issuing public key certificates (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements, and any of the "NCP", "NCP+", or "LCP" certificate policies); | ||
#** “Trust Service Providers practice” in ETSI EN 319 411-1 v1.1.1 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements, specifying a policy or policies appropriate to the trust bit(s) being applied for; | |||
#*** For Websites trust bit (need BR compliance audit) the CA must comply to EN 319 411-1 for "TLS" on level DV or OV or IV, and for "eMail" on level "LCP or NCP". | |||
#*** For EV treatment the CA must comply with EN 319 411-1 with the policy requirements identified for EVCP. | |||
#** “Trust Service Providers practice” in ETSI EN 319 411-2 v2.1.1 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates, specifying a policy or policies appropriate to the trust bit(s) being applied for. | |||
#*** For QWACs the CA must comply with EN 319 411-2 with the policy requirements identified for QCP-w. Note: QCP-w defined in EN 319 411-2 builds on EVCP defined in EN 319 411-1. | |||
#* Audits performed after January 2013 need to include verification of compliance with the [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] if SSL certificates may be issued within the CA hierarchy, and the audit statement shall indicate the results. | #* Audits performed after January 2013 need to include verification of compliance with the [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] if SSL certificates may be issued within the CA hierarchy, and the audit statement shall indicate the results. | ||
#** Carefully review with your auditor: https://wiki.mozilla.org/CA:BaselineRequirements | #** Carefully review with your auditor: https://wiki.mozilla.org/CA:BaselineRequirements | ||