Steffen DETTMER wrote:

> For operational, administrative and forensic concerns I think it
> is important to know the key generation time as well as who
> generated it in exactly which way, who gave the key to whom when
> and why and so on - maybe even including a transactional log of
> every key usage ever done.


I'm not suggesting that this isn't useful, just that it is not
a defect that it isn't part of the key format itself.

For compliance purposes, how do you prove generation time? I claim
that the relevant time is that of the first CSR. Operationally,
a timestamp and a nonce as part of a challenge created by the CA,
included in the CSR which is signed by the subject privkey, makes
sense. And hygiene dictates that the only use of the private
key permissible before issuance of the certificate is in signing
the CSR.

If the timestamp isn't generated by a trusted third party, I don't
think it's of much value.

- M

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org