>
>
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html
>
> -- Add new item #9 to state that externally-operated subCAs must be
> technically controlled or audited/disclosed.
Here’s the currently proposed text for the new item #9 of the Inclusion
Policy…
--
“9. The CA must do one of the following for each external third party
that issues certificates. (Any external third party that can directly
cause the issuance of a certificate must be treated as a subordinate CA,
meeting one of the following two requirements.)
- Implement technical controls to restrict the subordinate CA to
only issue certificates within a specific set of domain names which the
CA has confirmed that the subordinate CA has registered or has been
authorized by the domain registrant to act on the registrant's behalf.
Such technical controls must be documented in the CA's Certificate
Policy or Certification Practice Statement, and reviewed by a competent
independent party as part of the CA's annual audit. Acceptable technical
controls include but are not limited to X.509 dNSName Name Constraints
as specified in RFC 5280, which are marked as critical.
- Publicly disclose the subordinate CA along with the subordinate
CA's corresponding Certificate Policy and/or Certification Practice
Statement and provide public attestation of the subordinate CA's
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties with
access to details of the subordinate CA's internal operations. The
subordinate CA's verification requirements and operational criteria must
satisfy the requirements of the Mozilla CA Certificate Policy. The CA's
Certificate Policy or Certification Practice Statement must indicate
where the list of publicly disclosed subordinate CAs may be found on the
CA's website.”
--
Mozilla’s CA Certificate Policy applies to certificates that are used
for SSL/TLS, S/MIME, and Code Signing, as per the trust bits that can be
set.
Should this new requirement apply only to externally-operated subCAs
that can issue certificates to be used for SSL-enabled servers?
If yes…
- Should we tighten the statement about what technical controls can be
used?
E.g. Can the technical controls be anything other than name constraints?
- What about externally-operated subCAs that can issue certs for S/MIME
and Code Signing? Do we address them by adding a separate line item to
the policy? Or do we postpone that for a later policy update?
If no…
- Does the statement about technical controls appropriately apply to
externally-operated subCAs that can issue S/MIME and Code Signing
certificates?
- What technical controls would be sufficient regarding issuance of
S/MIME and Code Signing certificates? e.g. Have some sort of technical
constraint in place to make sure that those subCAs cannot sign SSL
certificates? Make sure that they can only issue S/MIME certs containing
email address within a certain domain?
Kathleen