[cabfpub] Which CAs must be audited

Peter Bowen pzb at amzn.com
Sun Apr 30 07:53:26 MST 2017


Over on the mozilla.dev.security.policy list, there was some confusion about which subordinate CAs need to have audits.

I’ve put together two flow charts to help document what I think has been said on that list.  I tried to merge info from both the Mozilla and Microsoft policies, so I might be a little off.

The one place where this does differ from current Mozilla policy is that it has disclosure of technically constrained CA certificates themselves.  This is proposed for Mozilla but not yet required.

Anyone see errors?

Thanks,
Peter



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170430/0e692c4d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CA-top-level.png
Type: image/png
Size: 38177 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170430/0e692c4d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CA-processing.png
Type: image/png
Size: 119868 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170430/0e692c4d/attachment-0003.png>


More information about the Public mailing list