Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
m
→Purpose of this update
| Line 3: | Line 3: | ||
== Purpose of this update == | == Purpose of this update == | ||
Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. Version 2.1 of Mozilla's CA Certificate Policy encourages CAs to technically constrain all subordinate CA certificates by including an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. Technically constraining subordinate CAs that can issue SSL certificates also requires the subordinate CA certificate to include the Name Constraints X.509v3 extension, and the CA must have confirmed that the subordinate CA is authorized to issue certificates for the domains that are included in the Name Constraints extension. Version 2.1 of Mozilla's CA Certificate Policy requires auditing and public disclosure of | Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. Version 2.1 of Mozilla's CA Certificate Policy encourages CAs to technically constrain all subordinate CA certificates by including an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. Technically constraining subordinate CAs that can issue SSL certificates also requires the subordinate CA certificate to include the Name Constraints X.509v3 extension, and the CA must have confirmed that the subordinate CA is authorized to issue certificates for the domains that are included in the Name Constraints extension. Version 2.1 of Mozilla's CA Certificate Policy requires auditing and public disclosure of subordinate CA certificates that are not technically constrained with EKU and Name Constraints. | ||
Version 2.1 of Mozilla's CA Certificate Policy also requires CAs to update their operations and SSL certificate issuance to comply with [https://www.cabforum.org/Baseline_Requirements_V1_1.pdf version 1.1 of the CA/Browser Forum Baseline Requirements.] The CA/Browser Forum Baseline Requirements provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates. | Version 2.1 of Mozilla's CA Certificate Policy also requires CAs to update their operations and SSL certificate issuance to comply with [https://www.cabforum.org/Baseline_Requirements_V1_1.pdf version 1.1 of the CA/Browser Forum Baseline Requirements.] The CA/Browser Forum Baseline Requirements provide a foundation for best practices across the industry by defining a single, consolidated set of essential standards for all SSL/TLS certificates. | ||