On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote: > This control that StartCom was not allowed to use our path was technical in > place by the fact that I was the only one to have the intermediate cross > signed certificates, stored (retained) in my personal safe.
I see. Three (groups of) questions as someone who does not operate a public CA: When the cross signature certificate was signed did this result in some sort of auditable record of the signing? A paper trial, or its electronic equivalent - so that any audit team would be aware that the certificate existed, regardless of whether they were present when it was created ? (If so) Was this record inadequate to reproduce the certificate itself, for example just consisting of a serial number and other facts ? Many important functions of a CA are protected by "no lone zone" type practices, but would it be possible for you to retrieve the certificate from this safe on your own, without oversight by other employees ? I suspect all the above questions have answers that would be obvious to me if I had worked for a public CA but I hope you will humour me with answers anyway. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
