Confirm, administrator
5,526
edits
Changes
m
→Constrain Issuing Sub-CAs to Authorized Domains (DRAFT)
CAs are strongly encouraged to constrain their Intermediate Issuing Certificates to the first and second-level domains that they are authorized to issue certificates for, such as .edu, .gov, and the country-level TLD. Some CAs only need to issue certificates within certain TLDs, such as government run/sponsored CAs, and CAs for national research and education networks. The CA’s user base is large enough that typical Mozilla users in their region would benefit from having their root certificate included in NSS, but the CA only needs to issue certificates within certain first and second-level domains.
The CA’s CP/CPS documentation should indicate the first and second-level domains that the Issuing Subordinate Certificates are constrained to, and cite the use of Name Constraints as specified in RFC 3280 or RFC 5280 and marked as critical.
Notes:
