The only way that this can really be acceptable is if there's a means put in place by the Mozilla Foundation to report and act (by removing trust bits as necessary) on actual insecurity identified.
Regardless of whether you have any reason to believe /at this time/, the fact is that no one can predict the future. I'd appreciate it if GlobalSign would commit to letting us know what it and its auditors come up with on this topic. This is potentially Badâ„¢. -Kyle H On Sun, Jul 20, 2008 at 6:23 PM, Frank Hecker <[EMAIL PROTECTED]> wrote: > Frank Hecker wrote: >> Eddy Nigg wrote: > <snip> >>> Not sure what GlobalSign deems as a secure manner to provide PKCS12 >>> files (including private keys) mentioned in 1.9.6.9 of their CPS. >> >> I'll ask about this issue. > > My apologies, I forgot to post what I found out. Briefly, GlobalSign is > not currently doing this; the CPS language is there against the future > possibility. I made them aware of our general concerns about CA > generation and distribution of subscriber private keys (including > pointing them to the relevant discussion threads, etc.). They are > working with their auditors to come up with a mechanism that passes > muster in terms of security. > > The bottom line is that I don't see this as an issue affecting the > requests, given that a) no key generation and distribution is being done > at present and b) at this time I have no reason to believe that > GlobalSign might do this in an insecure manner. > > Frank > > -- > Frank Hecker > [EMAIL PROTECTED] > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
