Thank you,
ecellent dickussion and conclusion we arrived to.
I understand the general consensus is that the statement about unnotified
key transmission to Thawte is correct, saying: "I know of no way", rather
than "there is no way". (As Nelson Bolyard wrote).
We are all aware that there is no 100% answer (as always in life), but I
assume your knowledge has some weight.
This answer I think is acceptable and worth posting in other Forums (e.g.
Thunderbird and/or Firefox, where this answer yould not be given).
If you allow me I would cite some of our conclusions given here. Are there
any privacy-concerns about citations ? (I will not post any E-Mail Adress).
Please let me know.
I will not do any citation if you do not want it.
Further:
Nelson Bolyard wrote:
"Fost, You might be able to get some developer who works in a part of the
browser unrelated to crypto to make a stronger statement about this. But
those folks don't participate in this mailing list/newsgroup, so you'll
have to ask the question elsewhere to get such an answer."
Who else would you propose asking ?
Thanky you,
2009/1/10 Robert Relyea <rrel...@redhat.com>
> Fost1954 wrote:
>
>> Bob wrote: "So it turns out even with crmf, escrow does not happen
>> quietly. If the CA requests a key be escrowed, the user is notified:"
>>
>> Sorry, Bob, but it becomes too technical for my knowledge, I do not know
>> what crmf is, nor do I know what tokens etc.are, so speaking honestly: I do
>> not understand your conclusion, even though the words "escrow does not
>> happen quietly" sound positive.
>> Could you or any Firefox developer/programmer answer to my question (see
>> below):
>>
> I had missed the other thread (catching up on vacation email). My technical
> answer is pretty much what was described in the thread.
>
>>
>> 1. Is there a dev-tech-crypto / Firefox developer/programmer who wants to
>> confirm Kaspar Band's idea that "running Firefox in "Safe
>> Mode" when generating the key as well as requesting the Certificate with
>> Thawte does securely prevent unnotified private key transmission ?
>>
> As a crypto guy, I don't know what hooks Firefox gives pluggins and such.
> You are certainly safe with getting a certificate from Thawte, however. If
> they escrowed the key you would know it. In some sense there is little
> incentive for a CA to hide the fact that they are escrowing keys. They can
> certainly fake being you without any key you give them (they simply generate
> their own key and sign a certificate with your name in it). A CA that does
> escrowing would only do so if it's offering some key recovery service ("if
> you loose your key you can recover it from us"). CA's that try to escrow
> without being up front risk public exposure and loss of market share.
>
> Short answer: I personally would worry about it, but I can't give you a
> definative answer (since the code in question is well outside the crypto
> code).
>
>>
>> I do not want to be offending,
>>
> I don't think asking questions, and trying to get clarification is
> offending. That's what the list is for.
>
> bob
>
> but a simple "I think so"-answer does not satisfy most of the
>> Firefox-Thawte Users,...
>>
>>
>> Thank you !
>>
>>
>>
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
