CA/CertPolicyUpdatesDrafts

• 9. The CA must do one of the following for each external third party that issues certificates. (Any external third party that can directly cause the issuance of a certificate must be treated as a subordinate CA, meeting one of the following two requirements.)
  • Implement technical controls to restrict the subordinate CA to only issue certificates within a specific set of domain names which the CA has confirmed that the subordinate CA has registered or has been authorized by the domain registrant to act on the registrant's behalf. Such technical controls must be documented in the CA's Certificate Policy or Certification Practice Statement, and reviewed by a competent independent party as part of the CA's annual audit. Acceptable technical controls include but are not limited to X.509 dNSName Name Constraints as specified in RFC 5280, which are marked as critical.
  • Publicly disclose the subordinate CA along with the subordinate CA's corresponding Certificate Policy and/or Certification Practice Statement and provide public attestation of the subordinate CA's conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations. The subordinate CA's verification requirements and operational criteria must satisfy the requirements of the Mozilla CA Certificate Policy. The CA's Certificate Policy or Certification Practice Statement must indicate where the list of publicly disclosed subordinate CAs may be found on the CA's website.

• 10. When an external third party verifies certificate subscriber information on behalf of the CA, the CA must perform appropriate additional due diligence, including at least domain name verification, before the CA may issue the certificate.

--