Steffen DETTMER wrote:
For operational, administrative and forensic concerns I think it is important to know the key generation time as well as who generated it in exactly which way, who gave the key to whom when and why and so on - maybe even including a transactional log of every key usage ever done.
I'm not suggesting that this isn't useful, just that it is not a defect that it isn't part of the key format itself. For compliance purposes, how do you prove generation time? I claim that the relevant time is that of the first CSR. Operationally, a timestamp and a nonce as part of a challenge created by the CA, included in the CSR which is signed by the subject privkey, makes sense. And hygiene dictates that the only use of the private key permissible before issuance of the certificate is in signing the CSR. If the timestamp isn't generated by a trusted third party, I don't think it's of much value. - M ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
