Confirmed users, Administrators
5,526
edits
CA/CertPolicyUpdatesDrafts: Difference between revisions
Jump to navigation
Jump to search
→Drafts that have been Considered
| Line 9: | Line 9: | ||
** Click on "Last modified on ..." | ** Click on "Last modified on ..." | ||
== Draft proposed in October 2012 == | |||
9. All certificates that are technically capable of issuing certificates, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program, MUST be operated in accordance with Mozilla's CA Certificate Policy and must either be technically constrained or be publicly disclosed and audited. | |||
* A certificate is deemed as technically capable of issuing certificates if it lacks a critical X.509v3 basicConstraints extension with the isCA boolean explicitly false. The term "subordinate CA" below refers to any organization or legal entity that is in possession or control of a certificate that is technically capable of issuing certificates. | |||
* These requirements include all cross-certified certificates which chain to a certificate that is included in Mozilla's CA Certificate Program. | |||
* For a certificate to be considered technically constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. The anyExtendedKeyUsage MUST NOT appear within this extension. | |||
** If the certificate includes the id-kp-serverAuth extended key usage, then the certificate MUST include the Name Constraints X.509v3 extension. The Name Constraints extension MUST contain a dNSName permittedSubtrees constraint that only contains domains for which the issuing CA has confirmed that the subordinate CA has registered or has been authorized by the domain registrant to act on the registrant's behalf. If there are no such dNSNames (e.g. because the certificate is for issuing IP-address-based certificates), then the certificate must contain a dNSNames constraint that prohibits all DNS names. | |||
** If the certificate includes the id-kp-emailProtection extended key usage, then all end-entity certificates MUST only include e-mail addresses or mailboxes that the issuing CA has confirmed (via technical and/or business controls) that the subordinate CA is authorized to use. | |||
* All certificates that are technically capable of issuing certificates, that are not technically constrained, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program MUST be publicly disclosed by the CA that has their certificate included in Mozilla's CA Certificate Program. The CA with a certificate included in Mozilla's CA Certificate Program MUST disclose this information prior to any such subordinate CA issuing certificates. All disclosure of certificates MUST be made freely available and without additional requirements, including, but not limited to, registration,legal agreements, or restrictions on redistribution of the certificates in whole or in part. The Certificate Policy or Certification Practice Statement of the CA that has their certificate included in Mozilla's CA Certificate Program must specify where on that CA's website all such public disclosures are located. For a certificate to be considered publicly disclosed, the following information MUST be provided: | |||
** The full DER-encoded X.509 certificate | |||
** The corresponding Certificate Policy or Certification Practice Statement used by the subordinate CA | |||
** Annual public attestation of conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to the details of the subordinate CA's internal operations. | |||
== Changes in September 2012 == | == Changes in September 2012 == | ||