[cabfpub] Fwd: Discussion about RFC5280 and BR in Mozilla-dev-security

Dimitris Zacharopoulos jimmy at it.auth.gr
Sat Feb 20 21:35:52 UTC 2016

On 10/2/2016 1:04 πμ, Ryan Sleevi wrote:
> [...]
> Even if a Root Certificate was generated before 20 bits of entropy 
> became a requirement, the CA could certainly bring that key out of 
> offline storage and re-generate it. They have to have the key still 
> (so they can revoke the intermediates or generate the short-lived 
> responder certificates), and while it means the certificate generation 
> ceremony must be followed, it does not strictly seem like an 
> unreasonable requirement to conduct during the next audit, where your 
> auditors are already on site.

The current Microsoft Root Program 
technical requirements in Section 4A.6 states that:

"Private Keys and subject names must be unique per root certificate; 
reuse of private keys or subject names in subsequent root certificates 
by the same CA may result in random certificate chaining issues. CAs 
must generate a new key and apply a new subject name when generating a 
new root certificate prior to distribution by Microsoft".

I believe that regenerating the RootCA with the same key is not 
compatible with this requirement but I might be wrong here.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160220/e321c611/attachment-0003.html>

More information about the Public mailing list