CA/BR Audit Guidance: Difference between revisions

CA/BR Audit Guidance (view source)

3 bytes added , 11 November 2015

m

Confirmed users, Administrators

5,526

edits

@@ Line 43: / Line 43: @@
 * Intermediate certificates must be checked for duplicate serial numbers, which is forbidden by section 4.1.2.2 of RFC 5280.
 * Cryptographic algorithm and key sizes must meet BR Appendix A. (section 6.1.5 in BR version 1.3)
-* Certificate Extensions must comply with BR Appendix B.(section 7.1.2 in BR version 1.3)
+* Certificate Extensions must comply with BR Appendix B. (section 7.1.2 in BR version 1.3)
-* Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. (sections 7.1.5 and 8 in BR version 1.3)
+* Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. (sections 7.1.5 and 8.1 in BR version 1.3)
 Definition: An intermediate certificate that does not have an Extended Key Usage (EKU) extension, has id-kp-serverAuth extended key usage, or has the anyExtendedKeyUsage KeyPurposeId is considered '''''capable''''' of issuing SSL certificates.