[cabfpub] Ballot 188 - Clarify use of term "CA" in Baseline Requirements
Ryan Sleevi
sleevi at google.com
Wed Mar 1 02:05:55 MST 2017
On Wed, Mar 1, 2017 at 12:43 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:
> On 1/3/2017 10:22 πμ, Ryan Sleevi wrote:
>
>
>
> On Tue, Feb 28, 2017 at 11:36 PM, Dimitris Zacharopoulos via Public <
> public at cabforum.org> wrote:
>>
>> Perhaps changing the "Root CA Certificate" as "A CA Certificate in which
>> the Public Key has been digitally signed by its corresponding Private Key
>> with the intention to be distributed by Application Software Suppliers as a
>> trust anchor". Would that work?
>>
>
> I think this would be a step in the wrong direction. As we know from the
> discussions about the scope of the BRs, "intent" is something that is hard
> to audit and hard to document. We should avoid such definitions, and focus
> on clear technical definitions.
>
>
> I agree with the general concept but this is a special case because when
> you perform a Root Key Ceremony, the CA Certificate is not part of any
> Trust store. Any language that would make this better is welcome.
>
Always require the auditor to attest that any Key Pairs, for any CA
Certificate, be accompanied with a Qualified Auditor attesting that the CA
followed its Key Generation Script.
Would we really want to have a process where a Key Pair is generated using
means that no one independently verifies as compliant with either the Key
Generation Script or the CP/CPS? That's how you end up with a rogue sub-CA
(for example, failing to take appropriate protections for the generated Key
Pair)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170301/b7523c52/attachment.html>
More information about the Public
mailing list