Entrust does the following: - Each subCA certificate is created through a audited ceremony. The auditor creates a report indicating the key ID and the CPS which was used for key generation. - When it is time for the subCA to go into production, an intermediate certificate is issued from a root. The intermediate certificate will meet the requirements of the CPS and the BRs if applicable. - The subCA can now issue certificates. The end entity certificates will have a certificate policy which is stated in the CPS. As such, issuing a certificate is an assertion that the subCA is issuing in accordance with the certificate policy and CPS. - The new subCA is compliance audited at the next time in our annual audit cycle. Note the new subCA is operated the same as all other CAs meeting the same certificate policy.
I would note that if there was a significant change such as data center location or new certificate policy, then we may want to consider a point-in-time readiness assessment. I think that all CAs required a point-in-time readiness assessment, before we started to issue EV certificates. I suppose that I am stating that I support option 1 as I think the option 2 attestments are already covered. However, option 3 may be required for a new data center or a policy which has not been previously audited. Thanks, Bruce. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
