[cabfpub] Fwd: Discussion about RFC5280 and BR in Mozilla-dev-security

Dimitris Zacharopoulos jimmy at it.auth.gr
Sat Feb 20 21:35:52 UTC 2016


On 10/2/2016 1:04 πμ, Ryan Sleevi wrote:
> [...]
>
> Even if a Root Certificate was generated before 20 bits of entropy 
> became a requirement, the CA could certainly bring that key out of 
> offline storage and re-generate it. They have to have the key still 
> (so they can revoke the intermediates or generate the short-lived 
> responder certificates), and while it means the certificate generation 
> ceremony must be followed, it does not strictly seem like an 
> unreasonable requirement to conduct during the next audit, where your 
> auditors are already on site.
>

The current Microsoft Root Program 
<http://social.technet.microsoft.com/wiki/contents/articles/31633.microsoft-trusted-root-program-requirements.aspx> 
technical requirements in Section 4A.6 states that:

"Private Keys and subject names must be unique per root certificate; 
reuse of private keys or subject names in subsequent root certificates 
by the same CA may result in random certificate chaining issues. CAs 
must generate a new key and apply a new subject name when generating a 
new root certificate prior to distribution by Microsoft".

I believe that regenerating the RootCA with the same key is not 
compatible with this requirement but I might be wrong here.


Best regards,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160220/e321c611/attachment-0003.html>


More information about the Public mailing list