CA/Subordinate CA Checklist: Difference between revisions

CA/Subordinate CA Checklist (view source)

Revision as of 23:33, 8 January 2020

4 bytes removed , 8 January 2020

m

minor cleanup

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 2: / Line 2: @@
 In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. This wiki page outlines subordinate CA information that needs to be provided by the root CA organization, and evaluated by the Mozilla community.
-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla’s Root Store Policy] encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy.
+[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates Mozilla’s Root Store Policy] encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s Root Store Policy.
 == Super-CAs ==