[cabfpub] Fwd: Discussion about RFC5280 and BR in Mozilla-dev-security
Dimitris Zacharopoulos
jimmy at it.auth.gr
Sat Feb 20 21:35:52 UTC 2016
On 10/2/2016 1:04 πμ, Ryan Sleevi wrote:
> [...]
>
> Even if a Root Certificate was generated before 20 bits of entropy
> became a requirement, the CA could certainly bring that key out of
> offline storage and re-generate it. They have to have the key still
> (so they can revoke the intermediates or generate the short-lived
> responder certificates), and while it means the certificate generation
> ceremony must be followed, it does not strictly seem like an
> unreasonable requirement to conduct during the next audit, where your
> auditors are already on site.
>
The current Microsoft Root Program
<http://social.technet.microsoft.com/wiki/contents/articles/31633.microsoft-trusted-root-program-requirements.aspx>
technical requirements in Section 4A.6 states that:
"Private Keys and subject names must be unique per root certificate;
reuse of private keys or subject names in subsequent root certificates
by the same CA may result in random certificate chaining issues. CAs
must generate a new key and apply a new subject name when generating a
new root certificate prior to distribution by Microsoft".
I believe that regenerating the RootCA with the same key is not
compatible with this requirement but I might be wrong here.
Best regards,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160220/e321c611/attachment-0003.html>
More information about the Public
mailing list