On 8/9/2022 2:02 π.μ., Ben Wilson wrote:
Hi Dimitris,
Thanks. I don't know why Chrome chose five years because I can't think
of a scenario where a CA operator would take 4-5 years to submit their
root CA for inclusion in the trust store. Whereas, three years seemed
more reasonable and manageable.
Without being 100% certain, I believe there is a use case where a CA
performs a key generation ceremony witnessed by an external Qualified
auditor, then "park" those keys making sure they are covered in annual
audits by providing "key protection" audit reports for the keys not
associated with Root CAs. This has been presented in CABF F2F meetings
several times. I assume that a CA with "parked keys" could pick some of
those keys up 4 years from creation and create a Root CA(s) to be
included in Root stores without needing to perform another (costly?)
keygen witnessed by an external auditor.
Either way, I'm more concerned about the deviation from the Chrome Root
Store Policy than the decision of 3 or 5 years :) Hopefully the two
programs can align (either Chrome change to 3 years or Mozilla change to 5).
Dimitris.
Ben
On Tue, Aug 30, 2022 at 12:39 PM Dimitris Zacharopoulos
<[email protected]> wrote:
On 16/8/2022 12:28 π.μ., Ben Wilson wrote:
Addition to: Section 7.1 Inclusions
CA key material MUST be generated within the three (3) years that
precede the submission of a CA inclusion request. The date of CA
key material generation shall be determined by reference to the
auditor’s key generation ceremony report.
Why 3 years instead of 5? What are the security benefits of a key
being generated 3 vs 5 years ago? The Chrome Root Program Policy
states that it will accept keys generated 5 years ago so perhaps
there is no significant reason to justify this policy divergence.
Thanks,
Dimitris.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7583f738-82f3-cd1b-3793-5254e4d83095%40it.auth.gr
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7583f738-82f3-cd1b-3793-5254e4d83095%40it.auth.gr?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5dbe5339-b106-cc73-4c58-22c76dd39486%40it.auth.gr.
