On Tue, May 15, 2018 at 9:17 PM Tim Hollebeek <tim.holleb...@digicert.com> wrote:
> My only objection is that this will cause key generation to shift to > partners and > affiliates, who will almost certainly do an even worse job. > > > This is already a Mozilla requirement [1] - we're just moving it into the policy document. > > If you want to ban key generation by anyone but the end entity, ban key > generation by anyone but the end entity. > > > We've already debated this [2] and didn't come to that conclusion. > > -Tim > [1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/MRd8gDwGGA4/AC4xgZ9CBgAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy