On Wed, Mar 1, 2017 at 12:43 AM, Dimitris Zacharopoulos <[email protected]> wrote:
> On 1/3/2017 10:22 πμ, Ryan Sleevi wrote: > > > > On Tue, Feb 28, 2017 at 11:36 PM, Dimitris Zacharopoulos via Public < > [email protected]> wrote: >> >> Perhaps changing the "Root CA Certificate" as "A CA Certificate in which >> the Public Key has been digitally signed by its corresponding Private Key >> with the intention to be distributed by Application Software Suppliers as a >> trust anchor". Would that work? >> > > I think this would be a step in the wrong direction. As we know from the > discussions about the scope of the BRs, "intent" is something that is hard > to audit and hard to document. We should avoid such definitions, and focus > on clear technical definitions. > > > I agree with the general concept but this is a special case because when > you perform a Root Key Ceremony, the CA Certificate is not part of any > Trust store. Any language that would make this better is welcome. > Always require the auditor to attest that any Key Pairs, for any CA Certificate, be accompanied with a Qualified Auditor attesting that the CA followed its Key Generation Script. Would we really want to have a process where a Key Pair is generated using means that no one independently verifies as compliant with either the Key Generation Script or the CP/CPS? That's how you end up with a rogue sub-CA (for example, failing to take appropriate protections for the generated Key Pair)
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
