Apologies for the new thread. It's difficult for me to reply to messages that were sent before I joined Digicert.
With respect to CA generated SSL keys, there are a few points that I feel should be considered. First, third parties who are *not* CAs can run key generation and escrow services, and then the third party service can apply for a certificate for the key, and deliver the certificate and the key to a customer. I'm not sure how this could be prevented. So if this actually did end up being a Mozilla policy, the practical effect would be that SSL keys can be generated by third parties and escrowed, *UNLESS* that party is trusted by Mozilla. This seems . backwards, at best. Second, although I strongly believe that in general, as a best practice, keys should be generated by the device/entity it belongs to whenever possible, we've seen increasing evidence that key generation is difficult and many devices cannot do it securely. I doubt that forcing the owner of the device to generate a key on a commodity PC is any better (it's probably worse). With an increasing number of small devices running web servers, keys generated by audited, trusted third parties under whatever rules Mozilla chooses to enforce about secure key delivery may actually in many circumstances be superior than what would happen if the practice is banned. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy