On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote: > On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote:
> > I think, for new CAs, the KGC report and the stated CP/CPS, combined with > ensuring that the next audit that covers the period of time stated on the > KGC report includes that certificate, seems like a reasonable balance. I think BR 6.1.1.1 is a little confusing on when a root key generation observation report is required, because it uses the term “Root CA Key Pair” in a section that seems to be addressing CAs that are not root CAs. For other CA Key Pairs created after the Effective Date that are for the operator of the Root CA or an Affiliate of the Root CA, the CA SHOULD: 1. prepare and follow a Key Generation Script and 2. have a Qualified Auditor witness the Root CA Key Pair generation process or record a video of the entire Root CA Key Pair generation process. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
