CA/Root Store Policy Archive: Difference between revisions

Jump to navigation Jump to search

CA/Root Store Policy Archive (view source)

Revision as of 21:11, 25 February 2015

311 bytes added ,  25 February 2015
m
→‎Consider for Version 2.3
Line 84: Line 84:
* Make it very clear that a CA with a root certificate included in Mozilla's program is ultimately responsible for every certificate issued that directly or indirectly chains up to the included certificate. If a CA's subcontractors (RAs, subCAs, etc.) have their own practice documentation, it must be inclusive of the CA's practices.  
* Make it very clear that a CA with a root certificate included in Mozilla's program is ultimately responsible for every certificate issued that directly or indirectly chains up to the included certificate. If a CA's subcontractors (RAs, subCAs, etc.) have their own practice documentation, it must be inclusive of the CA's practices.  
** The subcontractors may have their own practices '''in addition''' to the practices that the CA's CP/CPS impose on them. And the CA's CP/CPS must impose practices that are in line with Mozilla's CA Certificate Policies and CA/Browser Forums Baseline Requirements (depending on the types of certs the function '''is capable''' of issuing).  
** The subcontractors may have their own practices '''in addition''' to the practices that the CA's CP/CPS impose on them. And the CA's CP/CPS must impose practices that are in line with Mozilla's CA Certificate Policies and CA/Browser Forums Baseline Requirements (depending on the types of certs the function '''is capable''' of issuing).  
** The contracting CA must include documentation about the policies/practices that they require the contracted CA to comply with (i.e. in regards to the BRs and Mozilla policy). So the contracting CA's CPS needs to say that the contracted CA must include those things in their CPS, and be audited accordingly.
** The subscontractor may have their own audit, but it is the CA's responsibility to ensure proper auditing is happening, and to publicly disclose such audits according to section 10 of Mozilla's CA Certificate Inclusion Policy.  
** The subscontractor may have their own audit, but it is the CA's responsibility to ensure proper auditing is happening, and to publicly disclose such audits according to section 10 of Mozilla's CA Certificate Inclusion Policy.  
** The CA is responsible for making sure their subcontractors are acting in accordance with Mozilla's CA Certificate Policy and the BRs, including practices and audits. If it is found that a certificate has been mis-issued in the CA's hierarchy, the CA will be held accountable for the mistake, and the root certificate may be removed according to Mozilla's CA Certificate Enforcement Policy.  
** The CA is responsible for making sure their subcontractors are acting in accordance with Mozilla's CA Certificate Policy and the BRs, including practices and audits. If it is found that a certificate has been mis-issued in the CA's hierarchy, the CA will be held accountable for the mistake, and the root certificate may be removed according to Mozilla's CA Certificate Enforcement Policy.  
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1058345"

Navigation menu