date:20150612

Re: Name-constraining government CAs, or not

2015-06-12 Thread Tom Ritter

Are https://technet.microsoft.com/en-us/library/cc751157.aspx and
http://aka.ms/auditreqs the MSFT components (previously?) under NDA?



Government CAs must restrict server authentication to .gov domains and
may only issues other certificates to the ISO3166 country codes that
the country has sovereign control over (see http://aka.ms/auditreqs
section III for the definition of a “Government CA”).

Government CAs that also operate as commercial, non-profit, or other
publicly-issuing entities must use a different root for all such
certificate issuances (see http://aka.ms/auditreqs section III for the
definition of a “Commercial CA”).



Effective July 1, 2015, Government CAs may choose to either obtain the
above WebTrust or ETSI-based audit(s) required of Commercial CAs, or
to use an Equivalent Audit. If a Government CA chooses to obtain a
WebTrust or ETSI-based audit, Microsoft will treat the Government CA
as a Commercial CA. The Government CA can then operate without
limiting the certificates it issues, provided it issues commercial
(including non-profit) certificates from a different root than its
government certificates and it signs a commercial CA contract with
Microsoft.

... more about audits ...



A “Government CA” is an entity that is established by the sovereign
government of the jurisdiction in which the entity operates, and whose
existence and operations are directly or indirectly subject to the
control of the sovereign government anywhere in the PKI chain.

A “Commercial CA” is an entity that is legally recognized in the
jurisdiction(s) in which the entity operates (e.g., corporation or
other legal person), that operates on a for-profit basis, and that
issues digital certificates to other CAs or to the general public.

“Certification Authority” or “CA” means an entity that issues digital
certificates in accordance with Local Laws and Regulations.

“Local Laws and Regulations” means the laws and regulations applicable
to a CA under which the CA is authorized to issue digital
certificates, which set forth the applicable policies, rules, and
standards for issuing, maintaining, or revoking certificates,
including audit frequency and procedure.



-tom
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Name-constraining government CAs, or not

2015-06-12 Thread Peter Bowen

On Fri, Jun 12, 2015 at 3:46 PM, Tom Ritter t...@ritter.vg wrote:
 Are https://technet.microsoft.com/en-us/library/cc751157.aspx and
 http://aka.ms/auditreqs the MSFT components (previously?) under NDA?

The published requirements are not under NDA.  Microsoft released a
draft version under NDA for feedback.

 

 Government CAs must restrict server authentication to .gov domains and
 may only issues other certificates to the ISO3166 country codes that
 the country has sovereign control over (see http://aka.ms/auditreqs
 section III for the definition of a “Government CA”).

 Government CAs that also operate as commercial, non-profit, or other
 publicly-issuing entities must use a different root for all such
 certificate issuances (see http://aka.ms/auditreqs section III for the
 definition of a “Commercial CA”).

 

 Effective July 1, 2015, Government CAs may choose to either obtain the
 above WebTrust or ETSI-based audit(s) required of Commercial CAs, or
 to use an Equivalent Audit. If a Government CA chooses to obtain a
 WebTrust or ETSI-based audit, Microsoft will treat the Government CA
 as a Commercial CA. The Government CA can then operate without
 limiting the certificates it issues, provided it issues commercial
 (including non-profit) certificates from a different root than its
 government certificates and it signs a commercial CA contract with
 Microsoft.

 ... more about audits ...

 

 A “Government CA” is an entity that is established by the sovereign
 government of the jurisdiction in which the entity operates, and whose
 existence and operations are directly or indirectly subject to the
 control of the sovereign government anywhere in the PKI chain.

 A “Commercial CA” is an entity that is legally recognized in the
 jurisdiction(s) in which the entity operates (e.g., corporation or
 other legal person), that operates on a for-profit basis, and that
 issues digital certificates to other CAs or to the general public.

 “Certification Authority” or “CA” means an entity that issues digital
 certificates in accordance with Local Laws and Regulations.

 “Local Laws and Regulations” means the laws and regulations applicable
 to a CA under which the CA is authorized to issue digital
 certificates, which set forth the applicable policies, rules, and
 standards for issuing, maintaining, or revoking certificates,
 including audit frequency and procedure.

 

 -tom
 ___
 dev-security-policy mailing list
 dev-security-policy@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Name-constraining government CAs, or not

Re: Name-constraining government CAs, or not

2 matches

Site Navigation

Mail list logo

Footer information