Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
m
updated text to match new diagram
m (updated text to match new diagram) |
|||
| Line 51: | Line 51: | ||
All root and intermediate certificates must be audited according to the Baseline Requirements, and end entity certificates may be audited on a sample basis. For the above diagram: | All root and intermediate certificates must be audited according to the Baseline Requirements, and end entity certificates may be audited on a sample basis. For the above diagram: | ||
* Public Root CA must be audited | * 'Public Root CA' must be audited | ||
* | * 'Issuing CA 1' issues SSL certificates so it would be subject to audit, PLUS its end-entity certificates would need to be audited at least on a sample basis | ||
* | * 'Issuing CA 2' has an EKU that allows SSL certificates, so it would be subject to audit, PLUS its end-entity certificates as well to verify that no SSL certificates have been issued. | ||
* Sub CA 3, operated by ABC Corp, is subject to audit | * 'Sub CA 3', operated by ABC Corp, is subject to audit | ||
* Sub CA 3a PLUS its end-entity certs are subject to audit | * 'Sub CA 3a' PLUS its end-entity certs are subject to audit | ||
* Sub CA 3b is subject to audit, but not its end-entity certificates because the EKU restricts to SMIME only | * 'Sub CA 3b' is subject to audit, but not its end-entity certificates because the EKU restricts to SMIME only | ||
* Sub CA 4, operated by XYZ Corp, is subject to audit, but not its end-entity certificates because Sub CA 4 is technically constrained in line with BRs | * 'Sub CA 4', operated by XYZ Corp, is subject to audit, but not its end-entity certificates because Sub CA 4 is technically constrained in line with BRs | ||
The colors in the above diagram represent the following: | The colors in the above diagram represent the following: | ||