[13] Web 用証明書を発行する CA は、 CA/Browser Forum の BR に従うのが普通です。
[14] BR に従わないらしき CA には次のものがあります。
[19] PKIX におけるCA証明書は RFC 5280 で規定されています。 CA証明書には、次の種別があります >>18。
[64] TLS CertificateRequest
メッセージの
certificate_authorities
には、サーバーが受け付けるCAのDNを指定できます。
[7] MIME型として application/x-x509-ca-cert
が使われることがあります。
[2] Network Security - CAB Forum ( 版) https://cabforum.org/network-security/
In addition to the Extended Validation Guidelines and the Baseline Requirements, the CA / Browser Forum has developed statements about the practices of CAs
[4] CA:Problematic Practices - MozillaWiki ( 版) https://wiki.mozilla.org/CA:Problematic_Practices
[5] CA:Recommended Practices - MozillaWiki ( 版) https://wiki.mozilla.org/CA:Recommended_Practices
[6] CA:Overview - MozillaWiki ( 版) https://wiki.mozilla.org/CA:Overview
Certification Authority: An organization that is responsible for the creation, issuance, revocation, and
management of Certificates. The term applies equally to both Roots CAs and Subordinate CAs.
The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with
Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host
separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.
The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV
Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using
certificates that are (i) valid (ii) revoked and (iii) expired.
[9] Symantec: Draft Proposal - Google グループ () https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/IZYmm8zsSKU
[10] Mozilla CA Certificate Store — Mozilla () https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/