One more question, in addition to the ones in my prior response: On Mon, Mar 6, 2017 at 6:02 PM, Ryan Hurst <r...@google.com> wrote: > rmh: I just attached two opinion letters from our auditors, I had previously > provided these to the root programs directly but it took some time to get > permission to release them publicly. One letter is covering the key > generation ceremony of the new roots, and another covering the transfer of > the keys to our facilities. In this second report you will find the > following statement: > > ``` > In our opinion, as of November 17, 2016, Google Trust Services LLC > Management’s Assertion, as referred to above, is fairly stated, in all > material respects, based on Certification Practices Statement Management > Criterion 2.2, Asset Classification and Management Criterion 3.2, and Key > Storage, Backup and Recovery Criterion 4.2 of the WebTrust Principles and > Criteria for Certification Authorities v2.0. > ```
According to the opinion letter: "followed the CA key generation and security requirements in its: o Google Internet Authority G2 CPS v1.4" (hyperlink omitted) According to that CPS, "Key Pairs for the Google Internet Authority are generated and installed in accordance with the contract between Google and GeoTrust, Inc., the Root CA." Are you asserting that the authority for the key generation process for the new Google roots is "the contract between Google and GeoTrust, Inc."? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
