On Tuesday, September 19, 2017 at 3:46:09 PM UTC+1, Franck Leroy wrote: > Le lundi 18 septembre 2017 17:28:44 UTC+2, Nick Lamb a écrit : > > On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote: > > > This control that StartCom was not allowed to use our path was technical > > > in place by the fact that I was the only one to have the intermediate > > > cross signed certificates, stored (retained) in my personal safe. > > > > I see. Three (groups of) questions as someone who does not operate a public > > CA: > > > > When the cross signature certificate was signed did this result in some > > sort of auditable record of the signing? A paper trial, or its electronic > > equivalent - so that any audit team would be aware that the certificate > > existed, regardless of whether they were present when it was created ? > > > > (If so) Was this record inadequate to reproduce the certificate itself, for > > example just consisting of a serial number and other facts ? > > > > Many important functions of a CA are protected by "no lone zone" type > > practices, but would it be possible for you to retrieve the certificate > > from this safe on your own, without oversight by other employees ? > > > > I suspect all the above questions have answers that would be obvious to me > > if I had worked for a public CA but I hope you will humour me with answers > > anyway. > > Hello > > You are right, answers are quite obvious, but I don’t understand the purpose > of your questions (may be I'm lost in the translation...) > > 1/ When we use our root, we produce a key ceremony report. > 2/ The signature value doesn’t appears in the report so it is not possible to > reproduce the certificate. > 3/ My safe is in a closet which I don’t have the key, so I have to ask my > manager to open it, then I can open my safe this my key. > > These are standard practices, and it changes nothing on the fact that we > cross signed in April and send the certificate to StartCom in August and that > cannot be mathematically proven, just my declaration. > > > Franck
Hi Franck, Could you provide us with a copy of this key ceremony report after removing confidential security information which is not relevant? James _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
