MozillaWiki

CA/Subordinate CA Checklist: Difference between revisions

Page Discussion

CA/Subordinate CA Checklist (view source)

Revision as of 00:06, 25 October 2013

1,485 bytes removed ,  25 October 2013
→‎Third-Party Private (or Enterprise) Subordinate CAs
Line 18: Line 18:


Root certificate authorities should use a separate and distinct root to sign third-party private subordinate CAs, and such roots should not be submitted for inclusion in NSS. Then if the owner of the subordinate CA later decides to create a profit center and start signing site certificates of unaffiliated entities, those site certificates will not chain back up to a root in NSS.  With a separate and distinct root not submitted for inclusion in NSS, there would be no need to disclose any information about those third-party private subordinate CAs.
Root certificate authorities should use a separate and distinct root to sign third-party private subordinate CAs, and such roots should not be submitted for inclusion in NSS. Then if the owner of the subordinate CA later decides to create a profit center and start signing site certificates of unaffiliated entities, those site certificates will not chain back up to a root in NSS.  With a separate and distinct root not submitted for inclusion in NSS, there would be no need to disclose any information about those third-party private subordinate CAs.
== Third-Party Private (or Enterprise) Subordinate CAs ==
When your root signs subordinate CAs for enterprises/companies who operate the sub-CA for their own use, the following information needs to be provided and publicly available.
# General description of the sub-CAs operated by third parties.
# Selection criteria for sub-CAs
#* The types of organizations that apply to operate a sub-CA
#* The approval process for sub-CAs
#* The verification procedures applied to sub-CAs
# The CP/CPS that the sub-CAs are required to follow.
# Requirements (technical and contractual) for sub-CAs in regards to whether or not sub-CAs are constrained to issue certificates only within certain domains, and whether or not sub-CAs can create their own subordinates.
# Requirements (typically in the CP or CPS) for sub-CAs to take reasonable measures to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root, as per section 7 of our [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA certificate policy.]
#* domain ownership/control
#* email address ownership/control
#* digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate
# Description of audit requirements for sub-CAs (typically in the CP or CPS)
#*Whether or not the root CA audit includes the sub-CAs.
#*Who can perform the audits for sub-CAs.
#*Frequency of the audits for sub-CAs.


== Third-Party Public Subordinate CAs ==
== Third-Party Public Subordinate CAs ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/736689"