On Fri, Mar 05, 2021 at 08:46:26AM -0800, Bruce via dev-security-policy wrote: > At the beginning, I think that CAs will generate one or many keys, but > will not assign them to CAs. The gap period could be days to years. > Since the requirement says "from the time of CA key pair generation", do > we want an audit of an unassigned key? Or should the audit start once the > key has been assigned and the CA certificate has been generated?
I think it's reasonable that keys that are bound to CA certificates have an unbroken history of audits demonstrating that the key has always been managed in a way that minimises the chances of disclosure, along with evidence that the key being bound was initially generated in a secure manner (good RNG, etc). - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy