Changes

Some CAs authorize external entities to operate their own CAs as subordinate CAs under the original CA's root. This raises concerns relating to whether or not such external entities are audited In considering a root certificate for inclusion in NSS, Mozilla must also evaluate the current subordinate CAs and the selection/approval criteria for future subordinate CAs. If Mozilla accepts and includes a manner equivalent CA's root certificate, then we have to assume that we also accept any of their future sub-CAs and their sub-CAs. Therefore, the root selection criteria for a CA's sub-CAs and their sub-CAs will be a critical decision factor, as well as what legal the documentation and technical arrangements constrain auditing-of-operations requirements that the external entitiesCA places on such relationships.

Where a root from a CA signs an intermediate certificate used by an external CA In order to then sign subsidiary intermediate certificates or subscriber certificatesbest ensure the safety and security of Mozilla users, Mozilla has a [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ single consistent policy] that situation needs to describes the expectations for all CAs that will be disclosedtrusted within its program. That disclosure should include documentation of what requirements are imposed by the CA owning the Mozilla requires that all participating root upon the operations of external CAs. Furtherfully disclose their hierarchy, including CP, CPS, the public audit report for the CA owning the root must indicate how and audits, when the operations said hierarchy is capable of the external CAs have been reviewed for compliance with those documented requirementsSSL or email issuance.

You More information on our disclosure requirements [https://wiki.mozilla.org/CA:SubordinateCA_checklist#Non-disclosable_Intermediate_Certificates is available]. During the root inclusion/change process, CAs must provide a clear description of the subordinate CAs that are operated by external third parties, and an explanation as to how the CP/CPS and audits ensure the third parties are in compliance with Mozilla's CA Certificate Policy requirements as per the Subordinate CA Checklist. After inclusion, CAs must disclose their subordinate CAs in the [https://wiki.mozilla.org/CA:SubordinateCA_checklist Subordinate SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F Common CA ChecklistDatabase], and maintain annual updates to the corresponding CP/CPS documents and audit statements.]