-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
basic edits to section 2 from policy authority doc based edits #14
Conversation
This is a test of making a pull request. |
|
||
## 2.1 Repositories | ||
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy. | ||
|
||
## 2.2 Publication of information | ||
The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. Effective as of 15 April 2015, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May not be ours to figure out at the moment - but is there a criteria for when "Certificate Policy and/or Certification Practice Statement " is "certificate policy" AND "certification practice statement"? E.G., if the CP is detailed enough to allow a relying party to understand what is required - is a CPS still required to be publically available? From what I have seen, commercial CPs are VERY general (when compared to Fed PKI CPs). Would ultimately make our lives easier if we could eliminate the requirement for a publically available CPS if we are detailed enough in the policy.
The CA SHALL develop, implement, enforce, and annually update a Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. | ||
The Federal PKI Policy Authority SHALL annually update this CP to ensure compliance with CAB Forum Baseline requirements. | ||
|
||
The CA SHALL develop, implement, enforce, and annually update a Certification Practice Statement that describes in detail how the CA implements the latest version of this CP. | ||
|
||
## 2.1 Repositories | ||
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add to #2 :
All CAs that issue certificates under this policy shall post all CA certificates and CRLs issued by the CA in a repository that is publicly accessible through all Uniform Resource Identifier (URI) references asserted in valid certificates issued by that CA.
Posted certificates and CRLs may be replicated in additional repositories for performance enhancement. Such repositories may be operated by the CA or other parties (e.g., Federal agencies).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated in new commit:
|
||
## 2.1 Repositories | ||
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy. | ||
|
||
## 2.2 Publication of information | ||
The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. Effective as of 15 April 2015, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to mandate checking CAA records and honoring them? Do we expect in the future that there would be CAA records for .gov and .mil limiting certificate issuance to this PKI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened issue #39 for CAA records discussion
|
||
The CA SHALL publicly disclose its redacted Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by ~~RFC 2527 or~~ RFC 3647, and MUST be structured in accordance with ~~either RFC 2527~~ or RFC 3647. The Certification Practice Statement SHALL state whether the CA reviews CAA Records, and if so, the CA's practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice. | ||
|
||
The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired. | ||
|
||
## 2.3 Time or frequency of publication |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#451
The PA maintains the CP and each CA maintains a CPS
drop the "and/or Certification Practices Statement"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated in new commit
I do not object to the current text but would still like to understand what the actual requirement is as "and/or" makes this ambiguous - so as a policy compliance person, I am not sure what is needed... Is it always policy and sometimes Practice? Always practice statement and sometimes policy or both if both exist? (some CAs do not have a separate policy - just have a CPS...) From a Fed perspective - if we make the policy prescriptive/explicit enough can we avoid posting a redacted practice statement which will largely restate what the policy says? |
👍 from me. |
Edits to Section 2, based on edits submitted by document.
Included:
Did not include Section 2.4 Access Controls on Repositories edits.