CA/Audit Statements: Difference between revisions

CA/Audit Statements (view source)

632 bytes added , 11 March 2021

added info about what it means for a CA to be trusted by Mozilla's root store

Confirmed users, Administrators

5,526

edits

@@ Line 28: / Line 28: @@
 * Before being included and periodically thereafter, CAs MUST obtain certain audits for their root certificates and all of their intermediate certificates that are technically capable of issuing working server or email certificates.
 * Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store.
+** A CA certificate is considered to be trusted by Mozilla's root store as long as it is not expired, not in OneCRL, and either is directly included in Mozilla's root store or chains up (via subject/issuer) to another certificate that is included in Mozilla's root store.
+*** A CA certificate that has the Websites trust bit enabled is considered to be trusted by Mozilla's root store as long as Firefox continues to treat is as either a trusted root certificate or a trusted intermediate certificate. Reference: [[SecurityEngineering/Certificate_Verification|How Firefox Performs Certificate Verification and path construction]]
 ** Note: If a CA stops providing audit statements for a root certificate for any reason, then the certificate may be added to OneCRL in addition to being removed from Mozilla's root store.
 * Successive audits MUST be contiguous (no gaps).