CA/Subordinate CA Checklist: Difference between revisions

Line 4: Line 4:
[http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla’s CA Certificate Policy] (sections 8, 9, and 10) encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy.
[http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Mozilla’s CA Certificate Policy] (sections 8, 9, and 10) encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy.


In the situation where the root CA functions as a super CA such that their CA policies don't apply to the subordinate CAs (including auditing), then the root CA should not be considered for inclusion. Rather, the subordinate CAs may apply for inclusion themselves, as separate trust anchors.  
== Super-CAs ==
 
Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA.  Such signing CAs are called Super-CAs, and their subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated:
* The Super-CA’s documented policies and audit criteria meet the requirements of Mozilla’s CA Certificate Policy, which includes the CA/Browser Forum’s Baseline Requirements, and includes sufficient information about verification practices and issuance of end-entity certificates.
* The Super-CA is at all times completely accountable for their subordinate CAs, and the Super-CA ensures that all subordinate CAs demonstrably adhere to the Super-CA’s documented policies and audit criteria.
* The Super-CA provides publicly verifiable documentation and proof of annual audits for each subordinate CA that attest to compliance with the Super-CA’s documented policies and audit criteria.
* The subordinate CAs do not themselves act as a Super-CA or sign a large number of public third-party subordinate CAs, making it difficult for Mozilla and others to annually confirm that the full CA hierarchy is in compliance with Mozilla’s CA Certificate Policy.  


== Terminology ==
== Terminology ==
Confirmed users, Administrators
5,526

edits