since it's a webserver running on the local machine and is using that certificate key/pair, i think that someone more capable than me can easily extract the key from it.
>From my point of view as an observer it's plainly obvious that the private key >must be on my local machine too, even if i haven't actually got to the key >itself yet. On Monday, 25 December 2017 16:58:42 UTC+2, Jeremy Rowley wrote: > I think this raises a question on what level of investigation and assumption > is required by the ca. Let's encrypt, for example, requires submission of the > private key for revocation (https://letsencrypt.org/docs/revoking/). Is > simply providing a reference rather than the key sufficient? > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy