On 12/05/2008 11:38 AM, Rob Stradling:
It's considered a very bad practice I think.
Eddy, could you expand on this point?
I don't think WebTrust prohibits CAs from generating/retaining private keys
for users.
Retaining the private keys of users requires a key escrow service,
reasonable protection by the CA (at least) and the consent of the user.
This is what I know concerning the WebTrust audit.
Personally I view it as a risk for the user AND for the CA. Or would you
be willing to take the responsibility over user generated private keys
without the consent of the user? Or at all?
Are there any CAs in Mozilla NSS which have the users private keys?
Have a look at:
http://www.globalsign.com/support/csr/autocsr.html
Errr...there is a difference between creating it for and on behalf of
the user and retaining the keys. Just for your knowledge, StartCom does
provide different utilities for the creation of private keys, CSR,
decryption of private keys and so forth. However StartCom doesn't retain
any of the private keys and the user doesn't have to use our wizards for
it (it's there for convenience), instead can submit his/her signing
request at any time.
In this respect, Globalsign might implement it exactly in the same way.
We might however ask them or read their CPS instead.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
