On 12/05/2008 12:56 PM, Eddy Nigg:
In this respect, Globalsign might implement it exactly in the same way. We might however ask them or read their CPS instead.
I had another look at http://www.globalsign.com/support/csr/autocsr.html and apparently they aren't sending the PKCS12 file by email but require the user to retrieve it from the user control panel. This would be the proper distribution channel, see https://wiki.mozilla.org/CA:Problematic_Practices#Distributing_generated_private_keys_in_PKCS.2312_files
Of course I don't know if Globalsign retain the private keys or not. But as long as such a service is *optional* (for the convenience of the user) and private keys are not retained by the CA (disclosed in the CPS and audited), than it wouldn't fall under bad practices. This is what we do at StartCom, see https://www.startssl.com/policy.pdf section "Subscriber Private Key Generation and Delivery".
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
