Eddy Nigg wrote:
On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been
audited, so
it bears comparison to any CA which operates a closed/audited
procedure.
Bullshit! That's about the same as CAs keeping copies of the users
private keys...such a nonsense!
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs MUSTN'T have private keys of end user certificates, except in
case of a properly implemented key escrow service and with the consent
of the user.
Right, CAs won't have the private keys, unless they do. I imagine a
corporate CA can do what it likes, and doesn't need the consent of the
user. I also imagine that an ISP CA can do something similar, because
it gets an implied consent from somewhere or other. And if my CA says
"we got your private keys", then you have the choice of another CA.
I'm not saying I "approve" of these things, just that they do exist, and
they are expected to exist. Chokani et al has sections on them; there
are some businesses around that like to do mass population of desktops.
To the extent that they document these things in a CPS, pass an audit,
then those CAs are cool, in today's world.
Also, there is a silliness aspect to this. If the CAs are trusted not
to issue false certs for users, why can't they be trusted to look after
their private keys?
But if you really have to ask this question I'm afraid that
the understandings about this and other subjects are probably too far
apart between us in order to have any fruitful discussion.
If you don't like that, places to change it would be Chokhani et al (RFC
3647) or the Mozilla policy, I guess.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto