Confirm, administrator
5,526
edits
Changes
m
CAs are strongly encouraged to constrain their Consider constraining your Intermediate Issuing Certificates to the first and second-level domains that they are authorized to issue certificates for, such as .edu, .gov, and the country-level TLD. Some CAs only need to issue certificates within certain TLDs, such as government run/sponsored CAs, and CAs for national research and education networks. The CA’s user base is large enough that typical Mozilla users in their region would benefit from having their root certificate included in NSS, but the CA only needs to issue certificates within certain first and second-level domains.
→Constrain Issuing Sub-CAs to Authorized Domains (DRAFT)
Proposed text:
The CA’s CP/CPS documentation should indicate the first and second-level domains that the Issuing Subordinate Certificates are constrained to, and cite the use of Name Constraints as specified in RFC 5280 and marked as critical.
