Eddy Nigg wrote:
On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:

How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been audited, so it bears comparison to any CA which operates a closed/audited procedure.

Bullshit! That's about the same as CAs keeping copies of the users
private keys...such a nonsense!


Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.

Eddy, other than your need to be colourful, what was the point you were
trying to make?


Well, CAs MUSTN'T have private keys of end user certificates, except in case of a properly implemented key escrow service and with the consent of the user.


Right, CAs won't have the private keys, unless they do. I imagine a corporate CA can do what it likes, and doesn't need the consent of the user. I also imagine that an ISP CA can do something similar, because it gets an implied consent from somewhere or other. And if my CA says "we got your private keys", then you have the choice of another CA.

I'm not saying I "approve" of these things, just that they do exist, and they are expected to exist. Chokani et al has sections on them; there are some businesses around that like to do mass population of desktops. To the extent that they document these things in a CPS, pass an audit, then those CAs are cool, in today's world.

Also, there is a silliness aspect to this. If the CAs are trusted not to issue false certs for users, why can't they be trusted to look after their private keys?


But if you really have to ask this question I'm afraid that the understandings about this and other subjects are probably too far apart between us in order to have any fruitful discussion.


If you don't like that, places to change it would be Chokhani et al (RFC 3647) or the Mozilla policy, I guess.



iang

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to