On Fri, Jun 12, 2015 at 3:46 PM, Tom Ritter <[email protected]> wrote: > Are https://technet.microsoft.com/en-us/library/cc751157.aspx and > http://aka.ms/auditreqs the MSFT components (previously?) under NDA?
The published requirements are not under NDA. Microsoft released a draft version under NDA for feedback. > ==== > > Government CAs must restrict server authentication to .gov domains and > may only issues other certificates to the ISO3166 country codes that > the country has sovereign control over (see http://aka.ms/auditreqs > section III for the definition of a “Government CA”). > > Government CAs that also operate as commercial, non-profit, or other > publicly-issuing entities must use a different root for all such > certificate issuances (see http://aka.ms/auditreqs section III for the > definition of a “Commercial CA”). > > ==== > > Effective July 1, 2015, Government CAs may choose to either obtain the > above WebTrust or ETSI-based audit(s) required of Commercial CAs, or > to use an Equivalent Audit. If a Government CA chooses to obtain a > WebTrust or ETSI-based audit, Microsoft will treat the Government CA > as a Commercial CA. The Government CA can then operate without > limiting the certificates it issues, provided it issues commercial > (including non-profit) certificates from a different root than its > government certificates and it signs a commercial CA contract with > Microsoft. > > ... more about audits ... > > ==== > > A “Government CA” is an entity that is established by the sovereign > government of the jurisdiction in which the entity operates, and whose > existence and operations are directly or indirectly subject to the > control of the sovereign government anywhere in the PKI chain. > > A “Commercial CA” is an entity that is legally recognized in the > jurisdiction(s) in which the entity operates (e.g., corporation or > other legal person), that operates on a for-profit basis, and that > issues digital certificates to other CAs or to the general public. > > “Certification Authority” or “CA” means an entity that issues digital > certificates in accordance with Local Laws and Regulations. > > “Local Laws and Regulations” means the laws and regulations applicable > to a CA under which the CA is authorized to issue digital > certificates, which set forth the applicable policies, rules, and > standards for issuing, maintaining, or revoking certificates, > including audit frequency and procedure. > > ==== > > -tom > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
