Confirmed users, Administrators
5,526
edits
CA/Audit Letter Validation: Difference between revisions
Jump to navigation
Jump to search
continued drafting
(continued drafting) |
(continued drafting) |
||
| Line 14: | Line 14: | ||
= Intermediate Certificates = | = Intermediate Certificates = | ||
CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, directly update the corresponding record in the CCADB then click on the "Audit Letter Validation [ALV]" button. | CAs are required to update the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits audit] and [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#33-cps-and-cpses CP/CPS] for their non-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#531-technically-constrained technically-constrained] intermediate certificates chaining to root certs included in Mozilla's program at least annually. To provide this information for intermediate certificates, [https://www.ccadb.org/cas/intermediates directly update the corresponding record in the CCADB] then click on the "Audit Letter Validation [ALV]" button. | ||
== ALV on Intermediate Certificate Records == | == ALV on Intermediate Certificate Records == | ||
| Line 23: | Line 23: | ||
#* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list. | #* This field will only be set when the "Derived Trust Bits" field has 'Server Authentication' in its list. | ||
#* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement. | #* This field will be set to PASS when ALV finds the SHA-256 Fingerprint for that certificate in the BR audit statement. | ||
When ALV returns FAIL for either "Standard Audit ALV Found Cert" or "BR Audit ALV Found Cert" for one of your CA's intermediate certificate records in the CCADB, do the following: | |||
* Check the corresponding audit statement to make sure the SHA-256 fingerprint of the certificate is correctly listed. | |||
* If the SHA-256 fingerprint is listed in the audit statement, then make sure that it meets the [https://www.ccadb.org/policy#51-audit-statement-content format specifications], such as no colons, no spaces, no line feeds. | |||
** For existing audit statements (e.g. audit statements issued in 2019) add a comment to the "Standard Audit ALV Comments" or "BR Audit ALV Comments" fields indicating that the cert's fingerprint is there | |||
* If you do not agree with the ALV results, add comments to the "Standard Audit ALV Comments" or "BR Audit | |||
ALV Comments" fields. | |||
== CA Task List == | == CA Task List == | ||