Базовые требования к выпуску и управлению публично доверенных SSL сертификатов pravilassl.com. SAN SSL сертификаты, openssl, купить ssl сертификат, https, ssl протокол , Украинский центр сертификации сайтов и верификации компаний Веб Траст Украина 
Украинский центр сертификации сайтов и верификации компаний Веб Траст Украина Ukrainian site certification and company verification Center, SSL, UA SSL сертификаты CodeSigning сертификаты Верификация компаний Магазин сертификатов
Базовые требования к выпуску и управлению публично доверенных SSL сертификатов
Ukrainian certificate

 +A | R | -A | |--| |<-->|
 Домой | Symantec | VeriSign | Thawte | GeoTtrust | Контакты | Покупка сертификата | +380672576220 * Guidelines for EV Certificates *Русская версия сайта English version Українська версія Russian * Ukrainian Помощь

 Домой
All Text
Index
1. Scope (1)
2. Purpose (1)
3. References (1)
4. Definitions (2)
5. Abbreviations and Acronyms (5)
6. Conventions (6)
7. Certificate Warranties and Representations (6)
7.1 By the CA (6)
7.1.1 Certificate Beneficiaries (6)
7.1.2 Certificate Warranties (6)
7.2. By the Applicant (7)
8. Community and Applicability (7)
8.1 Compliance (7)
8.2 Certificate Policies (7)
8.2.1 Implementation (7')
8.2.2 Disclosure (8)
8.3 Commitment to Comply (8)
8.4 Trust model (8)
9 Certificate Content and Profile (8)
9.1 Issuer Information (8)
9.1.1 Issuer Common Name Field (8)
9.1.2 Issuer Domain Component Field (8)
9.1.3 Issuer Organization Name Field (8)
9.1.4 Issuer Country Name Field (9)
9.2 Subject Information (9)
9.2.1 Subject Alternative Name Extension (9)
9.2.2 Subject Common Name Field (9)
9.2.3 Subject Domain Component Field (9)
9.2.4 Subject Organization Name Field (9)
9.2.5 Subject Country Name Field (11)
9.2.6 Other Subject Attributes (11)
9.3 Certificate Policy Identification (11)
9.3.1 Reserved Certificate Policy Identifiers (11)
9.3.2 Root CA Certificates (11)
9.3.3 Subordinate CA Certificates (12)
9.3.4 Subscriber Certificates (12)
9.4 Validity Period (12)
9.5 Subscriber Public Key (12)
9.6 Certificate Serial Number (12)
9.7 Additional Technical Requirements (13)
10. Certificate Application (13)
10.1 Documentation Requirements (13)
10.2 Certificate Request (13)
10.2.1 General (13)
10.2.2 Request and Certification (13)
10.2.3 Information Requirements (13)
10.2.4 Subscriber Private Key (13)
10.3 Subscriber and Terms of Use Agreement (14)
10.3.1 General (14)
10.3.2 Agreement Requirements (14)
11. Verification Practices (15)
11.1 Authorization by Domain Name Registrant (15)
11.2 Verification of Subject Identity Information (16)
11.2.1 Identity (16)
11.2.2 DBA/Tradename (16)
11.2.3 Authenticity of Certificate Request (16)
11.2.4 Verification of Individual Applicant (17)
11.2.5 Verification of Country (17)
11.3 Age of Certificate Data (17)
11.4 Denied List (17)
11.5 High Risk Requests (17)
11.6 Data Source Accuracy (17)
12. Certificate Issuance by a Root CA (18)
13. Certificate Revocation and Status Checking (18)
13.1 Revocation (18)
13.1.1 Revocation Request (18)
13.1.2 Certificate Problem Reporting (18)
13.1.3 Investigation (19)
13.1.4 Response (19)
13.1.5 Reasons for Revocation (19)
13.2 Certificate Status Checking (20)
13.2.1 Mechanisms (20)
13.2.2 Repository (20)
13.2.3 Response Time (20)
13.2.4 Deletion of Entries (20)
13.2.5 OCSP Signing (20)
14. Employees and Third Parties (21)
14.1 Trustworthiness and Competence (21)
14.1.1 Identity and Background Verification (21)
14.1.2 Training and Skill Level (21)
14.2 Delegation of Functions (21)
14.2.1 General (21)
14.2.2 Compliance Obligation (22)
14.2.3 Allocation of Liability (22)
14.2.4 Enterprise RAs (22)
15. Data Records (22)
15.1 Documentation and Event Logging (22)
15.2 Events and Actions (22)
15.3 Retention (23)
15.3.1 Audit Log Retention (23)
15.3.2 Documentation Retention (23)
16. Data Security (23)
16.1 Objectives (23)
16.2 Risk Assessment (23)
16.3 Security Plan (24)
16.4 Business Continuity (24)
16.5 System Security (24)
16.6 Private Key Protection (25)
17. Audit (25)
17.1 Eligible Audit Schemes (25)
17.2 Audit Period (25)
17.3 Audit Report (26)
17.4 Pre-Issuance Readiness Audit (26)
17.5 Audit of Delegated Functions (26)
17.6 Auditor Qualifications (26)
17.7 Key Generation Ceremony (27)
17.8 Regular Quality Assessment Self Audits (28)
18. Liability and Indemnification (28))
18.1 Liability to Subscribers and Relying Parties (28)
18.2 Indemnification of Application Software Suppliers (28)
18.3 Root CA Obligations (28)
Appendix A - Cryptographic Algorithm and Key Requirements (Normative) (29)
Appendix B – Certificate Extensions (Normative) (30)
Root CA Certificate (30)
Subordinate CA Certificate (30)
Subscriber Certificate (31)
Appendix C - User Agent Verification (Normative) (33)


Original docs Baseline Requirements
EV Guidelines
SSL Subscriber Agreement-ru
ETSI TS 102 042 v 2.1.1 (2009-05)
ETSI TS 119 403 v 1.1.1 (2012-03)
FIPS PUB 140-2 (12-03-2002
Trust Service Principles and Criteria for Certification Authorities v 2.0 2011-03
NIST Special Publication 800-131A
Internal Names and IP Requirements for SSL:
2014 State of Risk Report

RFC docs Home
RFC 765
RFC 854
RFC 1035
RFC 1321
RFC 1945
RFC 2119
RFC 2246
RFC 2246 Upd.
RFC 2437
RFC 2459
RFC 2511
RFC 2527
RFC 2549
RFC 2560
RFC 2586
RFC 2616
RFC 3029
RFC 3161
RFC 3279
RFC 3280
RFC 3281
RFC 3443
RFC 3647
RFC 3709
RFC 3739
RFC 3779
RFC 4043
RFC 4051
RFC 4055
RFC 4059
RFC 4158
RFC 4210
RFC 4211
RFC 4212
RFC 4262
RFC 4325
RFC 4346
RFC 4366
RFC 4523
RFC 5019
RFC 5070
RFC 5246
RFC 5280
RFC 5480
RFC 5698
RFC 5741
RFC 5750
RFC 6066
RFC 6101
RFC 6394
RFC 6455
RFC 6520
RFC 6546
RFC 6698
RFC 6797
RFC 6844
RFC 6962
X.509
ISO 3166-1


On June 1, 2016 all certificates without Certificate Transparency and that are not published in Certificate Transparency logs may cause browser warning messages to display in Google Chrome. >>>

Добро пожаловать в ТОЛКОВАНИЕ Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1

Автор перевода: Web Trust Ukraine

ЭТОТ ПЕРЕВОД НЕ ЯВЛЯЕТСЯ ДОСЛОВНЫМ И ПРЕДОСТАВЛЯЕТСЯ НА УСЛОВИЯХ "КАК ЕСТЬ". ВЫ МОЖЕТЕ ИСПОЛЬЗОВАТЬ ПЕРЕВОД ИСКЛЮЧИТЕЛЬНО НА СВОЙ СТРАХ И РИСК. ВЕБ ТРАСТ УКРАИНА ОТКРЫТО ОТКАЗЫВАЕТСЯ ОТ ЯВНЫХ И НЕЯВНЫХ ГАРАНТИЙ И УСЛОВИЙ ЛЮБОГО РОДА, ВКЛЮЧАЯ НЕЯВНЫЕ ГАРАНТИИ И УСЛОВИЯ ИСПОЛЬЗОВАНИЯ, ПРИГОДНОСТИ ДЛЯ КАКОЙ-ЛИБО ОПРЕДЕЛЕННОЙ ЦЕЛИ И ОТСУТСТВИЯ НАРУШЕНИЙ ПРАВ СОБСТВЕННОСТИ. ВЕБ ТРАСТ УКРАИНА НЕ НЕСЕТ ОТВЕТСТВЕННОСТИ ЗА ПРЯМОЙ, КОСВЕННЫЙ, СЛУЧАЙНЫЙ, СПЕЦИАЛЬНЫЙ, ОПОСРЕДОВАННЫЙ, ШТРАФНОЙ ИЛИ ИНОЙ УЩЕРБ, ВКЛЮЧАЯ УБЫТКИ, СВЯЗАННЫЕ С УПУЩЕННОЙ ВЫГОДОЙ, УЩЕРБОМ ДЕЛОВОЙ РЕПУТАЦИИ, ПОТЕРЕЙ ВОЗМОЖНОСТИ ИСПОЛЬЗОВАНИЯ, ПОТЕРЕЙ ДАННЫХ, И ДРУГИЕ ВИДЫ НЕМАТЕРИАЛЬНОГО УЩЕРБА ВЫЗВАННЫЕ ИСПОЛЬЗОВАНИЕМ ДАННОГО ПЕРЕВОДА

Требования CAB Forum

The CA/Browser Forum is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. CA/Browser Forum Approves Baseline Requirements for SSL/TLS Certificates

The CA/Browser Forum has released the "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates" the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. The CA/Browser Forum has requested that internet browsers and operating systems adopt the Baseline Requirements among their conditions to distribute CA root certificates in their software. The new Baseline Requirements will improve the reliability and accountability of SSL/TLS issuance for relying parties by establishing baseline standards for all types of SSL/TLS certificates from all publicly-trusted CAs. The Baseline Requirements draw upon best practices from across the SSL/TLS sector to provide clear standards for CAs on important subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality, and delegation (including external sub-CAs and registration authorities).
Effected ChangeChanged DescriptionEffective DateCut Off Date
Subject Alternative Name ExtensionIP addresses no longer allowed in SAN field *
Server names no longer allowed in SAN field
The common name will be added automatically to all SSL as SAN. If common name starts with www. The TLD domain.com will also be added.
7/1/2012
7/1/2012
7/1/2012
11/1/2015
11/1/2015
6/30/2012
New Certificate Validity periodsMAX cert validity 60 months. Because we add additional months upon renewal, the maximum validity we can support is 4 years
MAX cert validity 39 months. After the effective date, we will only support max validity of 3 years + max of 90 days upon renewal
7/1/2012

4/1/2015
7/1/2012

3/31/2015
Org Unit Field in CSROptional field, but if present information must be verified by CA. Organization Unit field will be screened against our internal black and high risk lists.7/1/20126/30/2012
Age of Certificate/Authentication DataData or documents must not have been obtained more than 39 months prior to certificate issuance7/1/20126/30/2012
Proof of Right, Business Registration documents, VAT Certificate etc..ALL Documents received by the customers have to be vetted for authenticity with third party agency or POL7/1/20126/30/2012
Locality Field and State/Province fieldThe Locality and State/Province field in CSR will be vetted and needs to reflect the locality of the organization as per their POR docs or Proof of Address7/1/20126/30/2012
Corporate Identifier has to be presentThe Org field of the CSR has to contain the corporate Identifier i.e. Incorporation, Limited, Corporation etc..7/1/20126/30/2012
Domain Rights VettingIf the Whois records show different organization to that shown in the Org field of the CSR, the only approved authentication method is by DRC to the email contact listed in the Whois. No more DAL.7/1/20126/30/2012
Domain Authorization Letter process for private or proxy domain registration process (e.g. Domains by Proxy)Domain Authorization Letters from private and proxy domain services must be verified for authenticity with the domain registrar. A new letter will be required for each future enrolment.7/1/20126/30/2012
Address verification (GT Only)Address Verification may be obtained via multiple 3rd party databases such as D&B, Companies House, etc.7/1/20126/30/2012
Vetting of phone numbers via 3rd partiesProfessional Opinion Letter to be used in situations when a 3rd party number cannot be located. Phone Bills and Utility Bills can be accepted from the customer after authenticity is confirmed through service provider.7/1/20126/30/2012

* Public IP addresses are addresses that are valid as nodes on the Internet. They can be resolved and routed across the Internet from one point to another. Unlike public IP, private IP addresses are not valid on the Internet. Three range of private IP addresses has been selected for the three network class. An IP address is considered private if the IP number falls within one of the IP address ranges reserved for private uses by Internet standards groups. These private IP address ranges exist:
10.0.0.0 — 10.255.255.255
169.254.0.0 - 169.254.255.255
172.16.0.0 — 172.31.255.255
192.168.0.0 — 192.168.255.255

The IP standard defines specific address ranges within reserved for use by private networks Private IP addresses are typically used on local networks including home, school and business LANs including airports and hotels. Devices with private IP addresses cannot connect directly to the Internet. Likewise, computers outside the local network cannot connect directly to a device with a private IP. Instead, access to such devices must be brokered by a router or similar device that supports Network Address Translation (NAT). NAT hides the private IP numbers but can selectively transfer messages to these devices, affording a layer of security to the local network. Standards groups created private IP addressing to prevent a shortage of public IP addresses available to Internet service providers and subscribers.

 Домой
Полный текст
Введение
1. Сфера применения (1)
2. Цель этого документа (1)
3. Ссылки на документы (1)
4. Термины (2)
5. Сокрашения и абревиатура (5)
6. Определения (6)
7. Гарантии и обязательства (6)
7.1 Центра сертификации (6)
7.1.1 Для бенефициаров (6)
7.1.2 Для сертификатов (6)
7.2. Заказчика сертификата (7)
8. Общественные обязательства (7)
8.1 Обязанности (7)
8.2 Полисы сертифката (7)
8.2.1 Реализация (7')
8.2.2 Оповещение (8)
8.3 Соблюдение обязательств (8)
8.4 Модель подтверждения (8)
9. Профиль и содержание сертификата (8)
9.1 Информация о ЦС (8)
9.1.1 Поле Common Name (8)
9.1.2 Поле Domain Component (8)
9.1.3 Поле Organization Name(8)
9.1.4 Поле Country Name (9)
9.2 Информация о владельце сертификата (9)
9.2.1 Subject Alternative Name (9)
9.2.2 Поле Subject Common Name (9)
9.2.3 Поле Subject Domain Component (9)
9.2.4 Поле Subject Organization Name (9)
9.2.5 Поле Subject Country Name (11)
9.2.6 Другие атрибуты Subject (11)
9.3 Certificate Policy Identification (11)
9.3.1 Reserved Certificate Policy Identifiers (11)
9.3.2 Root CA сертификаты (11)
9.3.3 Subordinate CA сертификаты (12)
9.3.4 Subscriber сертификаты
9.4 Срок действия (12)
9.5 Public Key владельца(12)
9.6 Серийный номер (12)
9.7 Дополнительные технические требования (13)
10. Составляющие сертификата (13)
10.1 Требуемая документация (13)
10.2 CSR Запрос сертификата (13)
10.2.1 Общие положения (13)
10.2.2 Запрос и сертификация (13)
10.2.3 Требования к информации (13)
10.2.4 Приватный ключ пользователя (13)
10.3 Соглашение пользователя (14)
10.3.1 Общие положения (14)
10.3.2 Условия Соглашения (14)
11. Методы верификации (15)
11.1 Авторизация (15)
11.1.1 Авторизация регистранта домена (15)
11.1.2 Авторизация IP адреса (15)
11.2 Проверка информации Subject (16)
11.2.1 Идентификация (16)
11.2.2 DBA / Торговая марка (16)
11.2.3 Аутентификация запроса (16)
11.2.4 Верификация личности (17)
11.2.5 Верификация страны (17)
11.3 Возраст данных сертификата (17)
11.4 Список запрещенных (17)
11.5 Запросы с повышеным риском (17)
11.6 Источники точных данных (17)
12. Выпуск сертитфиката для Корневого ЦС (18)
13. Проверка статуса и отзыв сертификата (18)
13.1 Отзыв (18)
13.1.1 Запрос на отзыв (18)
13.1.2 Отчет о проблеме сертификата (18)
13.1.3 Расследование (19)
13.1.4 Автоответчик (19)
13.1.5 Причины отзыва (19)
13.2 Проверка статуса сертификата (20)
13.2.1 Механизм (20)
13.2.2 Храгилище (20)
13.2.3 Время ответа (20)
13.2.4 Удаление записей (20)
13.2.5 Удостоверение OCSP (20)
14. Сотрудники и привлеченные (21)
14.1 Надежность и компетентность (21)
14.1.1 Идентификация и фоновая проверка (21)
14.1.2 Подготовка и уровень квалификации (21)
14.2 Делегирование функций (21)
14.2.1 Общее (21)
14.2.2 Соответствие обязательства (22)
14.2.3 Распределение ответственности (22)
14.2.4 Enterprise RAs (22)
15. Запись действий (22)
15.1 Документация и регистрация событий (22)
15.2 События и действия (22)
15.3 Сохранность (23)
15.3.1 Сохранность журнала аудита (23)
15.3.2 Сохранность документов (23)
16. Защита информации (23)
16.1 Объекты (23)
16.2 Оценка рисков (23)
16.3 План обеспечения безопасности (24)
16.4 Непрерывность бизнеса (24)
16.5 Безопасность системы (24)
16.6 Защита Private Key (25)
17. Аудит (25)
17.1 Приемлемые схемы аудита (25)
17.2 Регулярность аудита (25)
17.3 Отчет аудита (26)
17.4 Аудит готовности к выпуску (26)
17.5 Аудит делегированния функций (26)
17.6 Квалификация аудитора (26)
17.7 Церемония генерации ключей (27)
17.8 Регулярная качественная оценка собственного аудита (28)
18. Ответственность и возмещение ущерба (28))
18.1 Ответственность пользователя (28)
18.2 Возмещение ущерба (28)
18.3 Обязательства Корневого ЦС (28)
Приложение A - Криптографический алгоритм и требования к Ключам (Норматив) (29)
Приложение B – Расширения сертификата (Норматив) (30)
Корневой сертификат ЦС (30)
Сертификат Подчиненного ЦС (30)
Сертификат клиента (31)
Приложение C – Тестирование приложений разработчика ПО (Норматив) (33)
 адграфикс - комфорт в интернет Веб Траст Украина Веб Нотариус Магазин сертификатов Магазин доменов Полезные ссылки Контакт с адграфикс Copyright © 2000-2014 WebTrust™

ВЕБТРАСТ Украина: SSL сертификаты Symantec group