Are https://technet.microsoft.com/en-us/library/cc751157.aspx and http://aka.ms/auditreqs the MSFT components (previously?) under NDA?
==== Government CAs must restrict server authentication to .gov domains and may only issues other certificates to the ISO3166 country codes that the country has sovereign control over (see http://aka.ms/auditreqs section III for the definition of a “Government CA”). Government CAs that also operate as commercial, non-profit, or other publicly-issuing entities must use a different root for all such certificate issuances (see http://aka.ms/auditreqs section III for the definition of a “Commercial CA”). ==== Effective July 1, 2015, Government CAs may choose to either obtain the above WebTrust or ETSI-based audit(s) required of Commercial CAs, or to use an Equivalent Audit. If a Government CA chooses to obtain a WebTrust or ETSI-based audit, Microsoft will treat the Government CA as a Commercial CA. The Government CA can then operate without limiting the certificates it issues, provided it issues commercial (including non-profit) certificates from a different root than its government certificates and it signs a commercial CA contract with Microsoft. ... more about audits ... ==== A “Government CA” is an entity that is established by the sovereign government of the jurisdiction in which the entity operates, and whose existence and operations are directly or indirectly subject to the control of the sovereign government anywhere in the PKI chain. A “Commercial CA” is an entity that is legally recognized in the jurisdiction(s) in which the entity operates (e.g., corporation or other legal person), that operates on a for-profit basis, and that issues digital certificates to other CAs or to the general public. “Certification Authority” or “CA” means an entity that issues digital certificates in accordance with Local Laws and Regulations. “Local Laws and Regulations” means the laws and regulations applicable to a CA under which the CA is authorized to issue digital certificates, which set forth the applicable policies, rules, and standards for issuing, maintaining, or revoking certificates, including audit frequency and procedure. ==== -tom _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy