Changes

Jump to: navigation, search

CA/Required or Recommended Practices

1,201 bytes added, 00:32, 30 October 2018
Added important notes about domain validation practices
It is '''not''' sufficient to simply reference section 3.2.2.4 of the [https://cabforum.org/baseline-requirements-documents/ CA/Brower Forum's Baseline Requirements (BR)]. The BRs list several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing section 3.2.2.4 of the BRs does not specify which of those options the CA uses, and is insufficient for describing how the CA conforms to the BRs. Section 2.3 of the BRs says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes '''in detail''' how the CA implements the latest version of these Requirements."
 
Notes:
* The CPS should state what the CA actually does, not what it could do. Such as which of the allowed domain validation methods the CA uses.
* BR subsections 3.2.2.4.1 and 3.2.2.4.5 were banned effective 1-August-2018.
** "CAs must stop using domain validation methods BR 3.2.2.4.1 and 3.2.2.4.5, stop reusing validation data from those methods"
* BR subsections 3.2.2.4.9 and 3.2.2.4.10 contain major vulnerabilities. If the CA uses these methods, then the CA should describe how they are mitigating those vulnerabilities. If not using those methods, the CPS should say so.
* BR section 3.2.2.5(4) includes "any other method". Saying the CA follows BR section 3.2.2.5 does not meet [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#22-validation-practices Mozilla's disclosure requirements for this method]. The CPS must describe if/how "any other method" is implemented.
* BR subsection 3.2.2.5(4) "any other method" is not permitted in conjunction with 3.2.2.4.8 per [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#22-validation-practices Mozilla's Root Store Policy]. The CPS should be clear that they do not do that.
===== WHOIS =====
Kathleen Wilson
Confirm, administrator
5,526
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1203060"

Navigation menu