CA/Audit Letter Validation: Difference between revisions

Jump to navigation Jump to search

CA/Audit Letter Validation (view source)

Revision as of 23:33, 2 January 2020

1 byte added ,  2 January 2020
continued drafting
(continued drafting)
(continued drafting)
Line 27: Line 27:
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates.
Subordinate CAs who operate non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates have the keys to the internet just as much as the [[CA/Included_CAs|CAs who have root certificates directly included in Mozilla's root store]]. Meaning that such subordinate CAs can also issue TLS certificates for any website or domain, so it is imperative that the same rules are being followed by all subordinate CAs operating non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates.
<br /><br />
<br /><br />
There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to over 3,100 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
There are currently about 150 [[CA/Included_Certificates|root certificates in Mozilla's root store]] , which leads to about 2,500 [[CA/Intermediate_Certificates|intermediate certificates]] that are trusted by Mozilla's root store.  To help enforce the rules at the intermediate certificate level, Mozilla requires disclosure of non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates in the CCADB, which automatically runs ALV on them and reports the results to CAs and root store operators in their CCADB home page.
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/8QB-G-CUBwAJ Progress towards enforcement at intermediate certificate level]
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/8QB-G-CUBwAJ Progress towards enforcement at intermediate certificate level]
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/Special:MobileDiff/1221786"

Navigation menu