On 4/1/2014 11:12 AM, Kathleen Wilson wrote: > On 3/31/14, 4:01 PM, Kathleen Wilson wrote: >> On 3/18/14, 11:54 AM, Kathleen Wilson wrote: >>> All, >>> >>> The only place where we currently describe Super-CAs is here: >>> >>> https://wiki.mozilla.org/CA:SubordinateCA_checklist >>> “In the situation where the root CA functions as a super CA such that >>> their CA policies don't apply to the subordinate CAs (including >>> auditing), then the root CA should not be considered for inclusion. >>> Rather, the subordinate CAs may apply for inclusion themselves, as >>> separate trust anchors.” >>> >>> >>> I’d like to clarify this text, so that CAs who are super-CAs will >>> realize that it applies to them. >>> >> >> >> Thanks to all of you who have commented on this. Based on your input, >> here's a new proposal: >> >> -- >> Some CAs sign the certificates of subordinate CAs to show that they have >> been accredited or licensed by the signing CA. Such signing CAs are >> called Super-CAs, and their subordinate CAs must apply for inclusion of >> their own certificates until the following has been established and >> demonstrated: >> - The Super-CA’s documented policies and audit criteria meet the >> requirements of Mozilla’s CA Certificate Policy, which includes the >> CA/Browser Forum’s Baseline Requirements, and includes sufficient >> information about verification practices and issuance of end-entity >> certificates. >> - The Super-CA is at all times completely accountable for their >> subordinate CAs, and the Super-CA ensures that all subordinate CAs >> demonstrably adhere to the Super-CA’s documented policies and audit >> criteria. >> - The Super-CA provides publicly verifiable documentation and proof of >> annual audits for each subordinate CA that attest to compliance with the >> Super-CA’s documented policies and audit criteria. >> - The subordinate CAs do not themselves act as a Super-CA or sign a >> large number of public third-party subordinate CAs, making it difficult >> for Mozilla and others to annually confirm that the full CA hierarchy is >> in compliance with Mozilla’s CA Certificate Policy. >> -- >> > > > I've updated the wiki page: > > https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs > > Comments, corrections, and recommendations on this are still welcome. > > Thanks! > Kathleen >
That seems to cover my concerns as an end user. Thanks. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
