Tim, On Fri, Mar 30, 2018 at 7:00 AM, crawfordtimj--- via dev-security-policy < [email protected]> wrote:
> On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote: > > On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < > > [email protected]> wrote: > > > > > I think, for new CAs, the KGC report and the stated CP/CPS, combined with > > ensuring that the next audit that covers the period of time stated on the > > KGC report includes that certificate, seems like a reasonable balance. > > I think BR 6.1.1.1 is a little confusing on when a root key generation > observation report is required, because it uses the term “Root CA Key Pair” > in a section that seems to be addressing CAs that are not root CAs. > > For other CA Key Pairs created after the Effective Date that are for the > operator of the Root CA or an Affiliate of the Root CA, the CA SHOULD: > > This part seems clear to me. 1. prepare and follow a Key Generation Script and > 2. have a Qualified Auditor witness the Root CA Key Pair generation > process or record a video of the entire Root CA Key Pair generation process. > > If you are commenting on the word "Root" in #2, then I think this is meant to apply to both Root and subordinate CA key pairs, so both instances of the word "Root" should be struck. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
