Confirmed users, Administrators
5,526
edits
CA/Root Store Policy Archive: Difference between revisions
Jump to navigation
Jump to search
m
→Consider for Version 2.3
| Line 81: | Line 81: | ||
The following items will be discussed in regards to version 2.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy.] | The following items will be discussed in regards to version 2.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy.] | ||
* Clean up the [[CA:Problematic_Practices#Other_considerations_when_updating_the_CA_Certificate_Policy|"Other considerations when updating the CA Certificate Policy"]] section of the [[CA:Problematic_Practices|Potentially Problematic Practices]] page. | * Clean up the [[CA:Problematic_Practices#Other_considerations_when_updating_the_CA_Certificate_Policy|"Other considerations when updating the CA Certificate Policy"]] section of the [[CA:Problematic_Practices|Potentially Problematic Practices]] page. i.e. figure out which items should be put directly into Mozilla's CA Certificate Policy. | ||
* [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | * [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | ||
* Make the timeline clear about when the audit statements and disclosure has to happen for new audited/disclosed subCAs. According to the Baseline Requirements section 17 and 17.4, pre-issuance Readiness Audit is to be done before the SubCA begins issuing publicly-trusted certs. Then a complete audit is due within 90 days of issuing the first publicly-trusted cert. | * Make the timeline clear about when the audit statements and disclosure has to happen for new audited/disclosed subCAs. According to the Baseline Requirements section 17 and 17.4, pre-issuance Readiness Audit is to be done before the SubCA begins issuing publicly-trusted certs. Then a complete audit is due within 90 days of issuing the first publicly-trusted cert. | ||