Le lundi 18 septembre 2017 17:28:44 UTC+2, Nick Lamb a écrit : > On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote: > > This control that StartCom was not allowed to use our path was technical in > > place by the fact that I was the only one to have the intermediate cross > > signed certificates, stored (retained) in my personal safe. > > I see. Three (groups of) questions as someone who does not operate a public > CA: > > When the cross signature certificate was signed did this result in some sort > of auditable record of the signing? A paper trial, or its electronic > equivalent - so that any audit team would be aware that the certificate > existed, regardless of whether they were present when it was created ? > > (If so) Was this record inadequate to reproduce the certificate itself, for > example just consisting of a serial number and other facts ? > > Many important functions of a CA are protected by "no lone zone" type > practices, but would it be possible for you to retrieve the certificate from > this safe on your own, without oversight by other employees ? > > I suspect all the above questions have answers that would be obvious to me if > I had worked for a public CA but I hope you will humour me with answers > anyway.
Hello You are right, answers are quite obvious, but I don’t understand the purpose of your questions (may be I'm lost in the translation...) 1/ When we use our root, we produce a key ceremony report. 2/ The signature value doesn’t appears in the report so it is not possible to reproduce the certificate. 3/ My safe is in a closet which I don’t have the key, so I have to ask my manager to open it, then I can open my safe this my key. These are standard practices, and it changes nothing on the fact that we cross signed in April and send the certificate to StartCom in August and that cannot be mathematically proven, just my declaration. Franck _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
