[1] [DFN[[[CA]]]] は、[[証明書]]の発行元です。

* 仕様書

[REFS[
- [18] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-3.2>
]REFS]

* 分類

[FIG(short list)[
- [[ルートCA]]
- [[下位CA]]
]FIG]

* Web 用 CA

[13] [[Web]] 用[[証明書]]を発行する [[CA]] は、 [[CA/Browser Forum]]
の [[BR]] に従うのが普通です。

[14] [[BR]] に従わないらしき [[CA]] には次のものがあります。
[FIG(short list)[
- [[CAcert]]
]FIG]

[8] 他に[[オレオレ証明書]]など個人や組織の内部に限定されて運用される [[CA]]
があります。

* CA 証明書

[17] [[CA]] の[[証明書]]を特に[DFN[[RUBYB[CA証明書]@en[CA certificate]]]]といいます。

[19] [[PKIX]] における[[CA証明書]]は [[RFC 5280]] で規定されています。
[[CA証明書]]には、次の種別があります [SRC[>>18]]。
[FIG(short list)[
- [[相互証明書]]
- [[自己発行証明書]]
- [[自己署名証明書]]
]FIG]

[20] [[ルートCA]]の[[証明書]]を[[ルート証明書]]といいます。

[21] 
[[中間証明書]]は[[証明書鎖]]に入れてやり取りされます。

* 実例

[FIG(short list)[ [16] [[CA]]
- [[Let's Encrypt]]
- [[CAcert]]
]FIG]

* 文脈

[64] [[TLS]] [CODE[[[CertificateRequest]]]] [[メッセージ]]の
[CODE[[[certificate_authorities]]]] には、[[サーバー]]が受け付ける[[CA]]の[[DN]]を指定できます。

* MIME 型

[7] [[MIME型]]として [CODE(MIME)@en[[[application/x-x509-ca-cert]]]]
が使われることがあります。

* メモ

[2] [CITE@en-US[Network Security - CAB Forum]]
([TIME[2015-03-23 23:03:41 +09:00]] 版)
<https://cabforum.org/network-security/>

[FIG(quote)[
[FIGCAPTION[
[3] [CITE@en-US[CA Practices - CAB Forum]]
([TIME[2015-04-02 12:13:02 +09:00]] 版)
<https://cabforum.org/ca-practices/>
]FIGCAPTION]

> In addition to the Extended Validation Guidelines and the Baseline Requirements, the CA / Browser Forum has developed statements about the practices of CAs

]FIG]

[4] [CITE@en[CA:Problematic Practices - MozillaWiki]]
([TIME[2015-04-02 07:13:46 +09:00]] 版)
<https://wiki.mozilla.org/CA:Problematic_Practices>

[5] [CITE@en[CA:Recommended Practices - MozillaWiki]]
([TIME[2015-04-02 07:13:29 +09:00]] 版)
<https://wiki.mozilla.org/CA:Recommended_Practices>

[6] [CITE@en[CA:Overview - MozillaWiki]]
([TIME[2015-04-02 07:20:42 +09:00]] 版)
<https://wiki.mozilla.org/CA:Overview>

[FIG(quote)[
[FIGCAPTION[
[11] ([TIME[2014-11-01 05:54:38 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=10>
]FIGCAPTION]

> Certification Authority: An organization that is responsible for the creation, issuance, revocation, and
> management of Certificates. The term applies equally to both Roots CAs and Subordinate CAs. 
> 

]FIG]


[FIG(quote)[
[FIGCAPTION[
[12] ([TIME[2014-11-01 05:54:38 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=46>
]FIGCAPTION]

> The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with
> Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host
> separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.

]FIG]

[FIG(quote)[
[FIGCAPTION[
[15] ([TIME[2014-11-01 05:09:16 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf#page=41>
]FIGCAPTION]

> The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV
> Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using
> certificates that are (i) valid (ii) revoked and (iii) expired.

]FIG]

[9] [CITE[Symantec: Draft Proposal - Google グループ]]
([TIME[2017-05-08 11:44:05 +09:00]])
<https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/IZYmm8zsSKU>

[10] [CITE@en[Mozilla CA Certificate Store — Mozilla]]
([TIME[2020-03-27 18:37:57 +09:00]])
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/>