> The requirements for being a public CA are self-regulated by the industry (via a consortium called CABforum including CAs and browser vendors). The requirements are far more stringent than that, but yes, you need an appropriate HSM.
Yeah, and no root CA would ever do anything to violate the BRs, right? /s
It’s true that BRs exist for a reason (and CAs occasionally fail to follow them), but roots not being on an appropriate HSM would be an extraordinary claim. The failures we’ve seen are not in the same ballpark.
Yeah, and no root CA would ever do anything to violate the BRs, right? /s