You accuse our root status by saying:"We know that key has been run on
deficient infrastructure, with deficient software, and done deficient things..."
As a matter of a fact the ROOT resides on a FIPS140-2 L3 HSM and kept all it
life time in an offline status (in a robust SAFE) and was participated in 3 key
So why do you say that the infrastructure is deficient?
You can question the certificate issued to this key - but why do you question
the key itself?
This is a very severe accusation.
the "deficient things" is creating 2 subca's that wasn't comply with ONE
condition of the BR (critical/ not critical of a certain field, which may
declared AFTER we created these SUB's). So the Comsign ROOT KEY IS INTACT even
if is signed subca keys which its certificates are not 100% according to BR.
Can you agree?
dev-security-policy mailing list