Kyle Hamilton wrote, On 2008-12-24 13:49: > Firefox does not send any private key. > http://en.wikipedia.org/wiki/Certificate_signing_request provides a > very good overview of what it does.
The answer is not that simple. The cited wiki page explains PKCS#10 Certificate Signing Requests (CSRs). CSRs are ONE way in which certificates can be requested from a CA after generating a key pair, but they are not the only way. IIRC, FF implements two other ways, and one of those ways may include private key "escrow" capability. I think the relevant questions are: a) which of Firefox's methods does Thawte use to cause Firefox to generate a key pair and request a certificate? b) Is there any way for a Firefox user to detect that his CA has requested private key escrow? c) When requesting a certificate from a CA, what can a Firefox user do to prevent escrowing the newly generated private key? I think the answers to these questions will likely not be available until next month. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
