On Friday, June 9, 2017 at 11:52:53 AM UTC-5, Ryan Sleevi wrote: > So that would be an arguement for disclosing both self-signed and > self-issued certificates, and align with the "Disclose what the key does" > mentality.
That was essentially the point I was trying to make. Of all the things to watch, one would think that the usage and management of the key is among the most essential. Using that key to sign an X.509 certificate, even a self-signed, self-issued one, is a use of that key. Was the object of its use in that instance, creating the self-signed certificate, an issuance which gets properly recorded in the appropriate systems to be considered part of the overall corpus of certificate issuances which will be sampled in an audit? (Presumably an auditor sampling a given signer's activity utilizes the original log closest to the HSM system and demands particulars of a random sampling of the signature events?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy