On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been audited, so
it bears comparison to any CA which operates a closed/audited procedure.
Bullshit! That's about the same as CAs keeping copies of the users
private keys...such a nonsense!
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs MUSTN'T have private keys of end user certificates, except in
case of a properly implemented key escrow service and with the consent
of the user. But if you really have to ask this question I'm afraid that
the understandings about this and other subjects are probably too far
apart between us in order to have any fruitful discussion.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto