CA/Forbidden or Problematic Practices: Difference between revisions

Jump to navigation Jump to search

CA/Forbidden or Problematic Practices (view source)

Revision as of 19:11, 20 November 2009

6 bytes removed ,  20 November 2009
m
→‎Issuing Certificates for Internal Domains
Line 69: Line 69:


If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions:
If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions:
 
#Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name.
1) Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name.
#Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents:
 
#*Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy], which states that CAs need to take reasonable measures to verify that the entity submitting the certificate signing request owns/controls the domain to be referenced in the certificate.
2) Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents:
#* [[CA:Recommended_Practices CA Recommended Practices]]
a) Section 7 of Mozilla’s CA Certificate Policy
(http://www.mozilla.org/projects/security/certs/policy/), which states that CAs need to take reasonable measures to verify that the entity submitting the certificate signing request owns/controls the domain to be referenced in the certificate.
b) https://wiki.mozilla.org/CA:Recommended_Practices


Mozilla also recommends that you  
Mozilla also recommends that you  
1) Implement automated checks to signal a red flag for domains such as .int and null characters in the Common Name and subjectAlternativeName of certificates.
# Implement automated checks to signal a red flag for domains such as .int and null characters in the Common Name and subjectAlternativeName of certificates.
2) Track the ICANN list of TLDs and update your procedures as necessary when new TLDs are approved.
#Track the [http://www.icann.org/en/registries/top-level-domains.htm ICANN list of TLDs] and update your procedures as necessary when new TLDs are approved.
(http://www.icann.org/en/registries/top-level-domains.htm)


== Other considerations when updating the CA Certificate Policy ==
== Other considerations when updating the CA Certificate Policy ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/184723"

Navigation menu