Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

basic edits to section 2 from policy authority doc based edits #14

Merged
merged 2 commits into from
Dec 19, 2016

Conversation

lachellel
Copy link
Contributor

Edits to Section 2, based on edits submitted by document.

Included:

  • Section 2 (top)
  • Section 2.2 - did not specify "where" the CP would be posted yet
  • Section 2.3 - partial

Did not include Section 2.4 Access Controls on Repositories edits.

@TLSrUS
Copy link

TLSrUS commented Nov 17, 2016

This is a test of making a pull request.


## 2.1 Repositories
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy.

## 2.2 Publication of information
The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. Effective as of 15 April 2015, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May not be ours to figure out at the moment - but is there a criteria for when "Certificate Policy and/or Certification Practice Statement " is "certificate policy" AND "certification practice statement"? E.G., if the CP is detailed enough to allow a relying party to understand what is required - is a CPS still required to be publically available? From what I have seen, commercial CPs are VERY general (when compared to Fed PKI CPs). Would ultimately make our lives easier if we could eliminate the requirement for a publically available CPS if we are detailed enough in the policy.

The CA SHALL develop, implement, enforce, and annually update a Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements.
The Federal PKI Policy Authority SHALL annually update this CP to ensure compliance with CAB Forum Baseline requirements.

The CA SHALL develop, implement, enforce, and annually update a Certification Practice Statement that describes in detail how the CA implements the latest version of this CP.

## 2.1 Repositories
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy.
Copy link

@techliaison techliaison Dec 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to #2 :
All CAs that issue certificates under this policy shall post all CA certificates and CRLs issued by the CA in a repository that is publicly accessible through all Uniform Resource Identifier (URI) references asserted in valid certificates issued by that CA.
Posted certificates and CRLs may be replicated in additional repositories for performance enhancement. Such repositories may be operated by the CA or other parties (e.g., Federal agencies).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated in new commit:

4ebbf01


## 2.1 Repositories
The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy.

## 2.2 Publication of information
The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. Effective as of 15 April 2015, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to mandate checking CAA records and honoring them? Do we expect in the future that there would be CAA records for .gov and .mil limiting certificate issuance to this PKI?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opened issue #39 for CAA records discussion


The CA SHALL publicly disclose its redacted Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see Section 8.1). The disclosures MUST include all the material required by ~~RFC 2527 or~~ RFC 3647, and MUST be structured in accordance with ~~either RFC 2527~~ or RFC 3647. The Certification Practice Statement SHALL state whether the CA reviews CAA Records, and if so, the CA's practice on processing CAA Records for Fully Qualified Domain Names. The CA SHALL log all actions taken, if any, consistent with its processing practice.

The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.

## 2.3 Time or frequency of publication

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#451
The PA maintains the CP and each CA maintains a CPS
drop the "and/or Certification Practices Statement"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated in new commit

4ebbf01

@LarryFrank
Copy link

publicly disclose its Certificate Policy and/or Certification Practice Statement

I do not object to the current text but would still like to understand what the actual requirement is as "and/or" makes this ambiguous - so as a policy compliance person, I am not sure what is needed... Is it always policy and sometimes Practice? Always practice statement and sometimes policy or both if both exist? (some CAs do not have a separate policy - just have a CPS...) From a Fed perspective - if we make the policy prescriptive/explicit enough can we avoid posting a redacted practice statement which will largely restate what the policy says?

@lachellel
Copy link
Contributor Author

@konklone @TLSrUS

I want to merge section 2? incorporated comments from larry and wendy, opened issues for any outstanding questions...

Let's merge?

@konklone
Copy link
Contributor

👍 from me.

@konklone konklone merged commit b6d5838 into master Dec 19, 2016
@konklone konklone deleted the section2 branch December 19, 2016 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

5 participants