Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
m
→Terminology
m (→Terminology) |
|||
| Line 24: | Line 24: | ||
#* The root CA is required to disclose the identity of these third parties, because they are essentially functioning as public CAs. | #* The root CA is required to disclose the identity of these third parties, because they are essentially functioning as public CAs. | ||
#* Please see the [[CA:SubordinateCA_checklist#Third-Party_Public_Subordinate_CAs|section below]] which outlines the additional information that must be provided for third-party public subordinate CAs. | #* Please see the [[CA:SubordinateCA_checklist#Third-Party_Public_Subordinate_CAs|section below]] which outlines the additional information that must be provided for third-party public subordinate CAs. | ||
# '''Third-party private (or enterprise) subordinate CAs:''' This is the case where a commercial CA has enterprise customers who want to operate their own CAs for internal purposes, e.g., to issue SSL server certificates to systems running intranet applications, to issue individual SSL client certificates for employees or contractors for use in authenticating to such applications, and so on. | # '''Third-party private (or enterprise) subordinate CAs:''' This is the case where a commercial CA has enterprise customers who want to operate their own CAs for internal purposes, e.g., to issue SSL server certificates to systems running intranet applications, to issue individual SSL client certificates for employees or contractors for use in authenticating to such applications, to issue SSL certificates for pre-approved domains that are owned/controlled by the customer, and so on. | ||
#* These sub-CAs are not functioning as public CAs, so typical Mozilla users would not encounter certificates issued by these sub-CAs in their normal activities. | #* These sub-CAs are not functioning as public CAs, so typical Mozilla users would not encounter certificates issued by these sub-CAs in their normal activities. | ||
#* For these sub-CAs we need assurance that they are not going to start functioning as public CAs. Currently the only assurances available for this case it to ensure that these third parties are required to follow practices that satisfy the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy,] and that these third parties are under an acceptable audit regime. | #* For these sub-CAs we need assurance that they are not going to start functioning as public CAs. Currently the only assurances available for this case it to ensure that these third parties are required to follow practices that satisfy the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy,] and that these third parties are under an acceptable audit regime. | ||