Re: "Super" CAs

Tue, 01 Apr 2014 11:14:02 -0700 

On 3/31/14, 4:01 PM, Kathleen Wilson wrote:

On 3/18/14, 11:54 AM, Kathleen Wilson wrote:

All,

The only place where we currently describe Super-CAs is here:

https://wiki.mozilla.org/CA:SubordinateCA_checklist
“In the situation where the root CA functions as a super CA such that
their CA policies don't apply to the subordinate CAs (including
auditing), then the root CA should not be considered for inclusion.
Rather, the subordinate CAs may apply for inclusion themselves, as
separate trust anchors.”


I’d like to clarify this text, so that CAs who are super-CAs will
realize that it applies to them.




Thanks to all of you who have commented on this. Based on your input,
here's a new proposal:

--
Some CAs sign the certificates of subordinate CAs to show that they have
been accredited or licensed by the signing CA.  Such signing CAs are
called Super-CAs, and their subordinate CAs must apply for inclusion of
their own certificates until the following has been established and
demonstrated:
- The Super-CA’s documented policies and audit criteria meet the
requirements of Mozilla’s CA Certificate Policy, which includes the
CA/Browser Forum’s Baseline Requirements, and includes sufficient
information about verification practices and issuance of end-entity
certificates.
- The Super-CA is at all times completely accountable for their
subordinate CAs, and the Super-CA ensures that all subordinate CAs
demonstrably adhere to the Super-CA’s documented policies and audit
criteria.
- The Super-CA provides publicly verifiable documentation and proof of
annual audits for each subordinate CA that attest to compliance with the
Super-CA’s documented policies and audit criteria.
- The subordinate CAs do not themselves act as a Super-CA or sign a
large number of public third-party subordinate CAs, making it difficult
for Mozilla and others to annually confirm that the full CA hierarchy is
in compliance with Mozilla’s CA Certificate Policy.
--




I've updated the wiki page:

https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs

Comments, corrections, and recommendations on this are still welcome.

Thanks!
Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to