On 12/05/2008 11:38 AM, Rob Stradling:
It's considered a very bad practice I think.

Eddy, could you expand on this point?

I don't think WebTrust prohibits CAs from generating/retaining private keys
for users.

Retaining the private keys of users requires a key escrow service, reasonable protection by the CA (at least) and the consent of the user. This is what I know concerning the WebTrust audit.

Personally I view it as a risk for the user AND for the CA. Or would you be willing to take the responsibility over user generated private keys without the consent of the user? Or at all?


Are there any CAs in Mozilla NSS which have the users private keys?

Have a look at:
http://www.globalsign.com/support/csr/autocsr.html

Errr...there is a difference between creating it for and on behalf of the user and retaining the keys. Just for your knowledge, StartCom does provide different utilities for the creation of private keys, CSR, decryption of private keys and so forth. However StartCom doesn't retain any of the private keys and the user doesn't have to use our wizards for it (it's there for convenience), instead can submit his/her signing request at any time.

In this respect, Globalsign might implement it exactly in the same way. We might however ask them or read their CPS instead.


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to