CA Process
71 views | +0 today
Your new post is loading...
Your new post is loading...
Scooped by allaboutcertificationauthority!

Download: Windows Server 2008 Step-by-Step Guides - Microsoft Download Center - Download Details

Download: Windows Server 2008 Step-by-Step Guides - Microsoft Download Center - Download Details | CA Process |
These step-by-step guides help IT Professionals learn about and evaluate Windows Server 2008.
No comment yet.
Scooped by allaboutcertificationauthority!

Windows root certificate program members

Windows root certificate program members | CA Process |
This article discusses the trusted CAs that can be used by Windows users for secure e-commerce. Provides a download link for a list of program members.
No comment yet.
Scooped by allaboutcertificationauthority!

Microsoft Root Certificate Program

The Microsoft Root Certificate Program supports the distribution of root certificates, enabling trust among Windows clients. To date, Microsoft has approved nearly one hundred commercial and government CAs for participation in the Program. This page describes the terms for participation and will help new CAs get started to apply to the Program.

Top Of Page  How Root Certificate Distribution Works

Root certificates are updated on Windows Vista automatically. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks the appropriate Microsoft Update location for the root certificate. If it finds it, it downloads it to the system. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes.

Root certificates are also delivered for Windows XP and earlier via the Microsoft Update Catalog. Visitors to the Catalog can search on “root update” or the KB article for the Root Certificate Program, “KB931125”, and download the latest Root Update package. Root Updates are cumulative, so it should only be necessary to install the latest one to receive all root certificates in the Program.

Whether a user, or “relying party”, should trust a root certificate for any particular purpose can be a difficult question. CAs must be on guard against issuing certificates to people who put them to bad use, such as signing malicious software to make it seem more acceptable. CAs should have effective revocation policies and procedures to adequately deal with such certificates. Also, users are expected to scan a CA’s Certificate Practice Statement (CPS) before deciding to trust a certificate - to ensure that acceptance would not cause undue risk to a user’s security, for example. Such documents can be hundreds of pages long though, making user trust decisions complex. Microsoft’s role is to assess CAs and qualify them according to the Program requirements before enabling distribution of their root certificates. We rely upon the judgment of qualified assessors who have themselves been inside the doors of a CA and audited them against publicly available criteria. While our scope of review is relatively narrow and confined to parameters we can verify in advance, our intention is to help customers make difficult trust decisions.

Top Of Page  General Requirements

The CA must provide the information requested below (see Step 1. Contact Microsoft), and receive preliminary approval for membership in the Program.

The CA must provide a test certificate issued from the CA’s root certificate for testing purposes. Optionally, a CA can provide to Microsoft a URL of a publicly accessible server where certificates issued from their root certificate can be verified. (See FAQ for details)

The CA must complete a Microsoft CA Agreement. The agreement will be provided only after you have completed Step 1 of the application process and received preliminary approval of your application.

Root certificates must comply with the Technical Requirements section below. In particular, we require a minimum crypto key size of RSA 2048-bit modulus for any root and all issuing CAs. Microsoft will no longer accept root certificates with RSA 1024-bit modulus of any expiration. We prefer that new roots are valid for at least 8 years from date of submission but expire before the year 2030, especially if they have a 2048-bit RSA modulus.

Certificates issued from a root certificate must support the CRL distribution point extension. The CRL distribution point should point to a location that is publicly accessible.

The CA must have a documented revocation policy, and the CA should be able to revoke any certificate they issue.

The CA must complete an audit and submit audit results to Microsoft every twelve (12) months. The Audit must cover the full PKI hierarchy that will be enabled by Microsoft through the assignment of Extended Key Usages (EKUs). All certificate usages that we enable must be audited periodically. The audit report must document the full scope of the PKI hierarchy including any sub-CA that issues a specific type of certificate covered by an audit. Eligible audits include:

WebTrust for Certificate Authorities v1.0 or later, completed by a licensed WebTrust for CAs auditor,

ETSI TS 101 456 v1.2.1 or later,

ETSI TS 102 042 V1.1.1 or later, or

ISO 21188:2006, “Public key infrastructure for financial services -- Practices and policy framework,” completed by either a licensed WebTrust for CAs auditor, or an audit authority operating according to the laws and policies for assessors in the same jurisdiction as the CA.

These are the accepted audits at this time for non-government CAs. We reserve the right to change the audits listed above and/or accept other comparable audits in the future.

No comment yet.