On Thursday, February 25, 2021 at 2:30:52 PM UTC-5, bwi...@mozilla.com wrote: > I haven't seen any response to my question about whether there is still a > concern over the language "as evidenced by a Qualified Auditor's key > destruction report". > I did add "This cradle-to-grave audit requirement applies equally to > subordinate CAs as it does to root CAs" to address the scenarios that were > raised. > So I am going to assume that this issue is resolved and that we can move > this proposed change forward. > See > https://github.com/BenWilson-Mozilla/pkipolicy/commit/c8bdb949020634b1f8fa31bc060229c600fe6f9d
Ben, sorry for the late input. We are onboard with the cradle-to-grave audit as we have experience auditing non-functioning CAs before they go into production and after they have stopped issuing certificates. However, I think there might be an issue in the requirement with the start and stop time of cradle-to-grave. At the beginning, I think that CAs will generate one or many keys, but will not assign them to CAs. The gap period could be days to years. Since the requirement says "from the time of CA key pair generation", do we want an audit of an unassigned key? Or should the audit start once the key has been assigned and the CA certificate has been generated? At the end, subordinate CA certificate(s) may be revoked or may expire. Once the certificate(s) are revoked or expired, is this a reasonable time to stop auditing the CA as trust has been removed? Of course if the certificates are not revoked or expired, then all copies of the keys should be destroyed to stop the audit. However, I think the best practice should be that certificates should be revoked/expired at time of key destruction. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
