[cabfpub] Reporting on new CAs created between audit reports
Gervase Markham
gerv at mozilla.org
Fri Sep 30 16:24:07 UTC 2016
On 30/09/16 17:22, Peter Bowen wrote:
> I think so. To clarify further, in many cases creating a new
> subordinate CA means using the exact same existing HSM but just
> generating a new key on it. For example, the Gemalto SafeNet Network
> HSM has 2MB of key storage. As a 4096-bit RSA key is less than 1KB
> stored, such a HSM can store at least 2000 CA keys. Additionally it
> was pointed out to me recently that subordinate CAs could even share
> keys as long as each CA has a unique Distinguished Name and Key
> Identifier. This is useful if the other attributes of the CA change
> (for example updating a policy identifier or constraint).
That kind of situation would clearly be suitable for a letter. The trick
is defining how you determine what situations are not suitable :-)
Gerv
More information about the Public
mailing list