When we debated it last, my predictions were hypothetical.
I wish they had remained hypothetical. -Tim From: Wayne Thayer [mailto:wtha...@mozilla.com] Sent: Wednesday, May 16, 2018 12:33 AM To: Tim Hollebeek <tim.holleb...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy) On Tue, May 15, 2018 at 9:17 PM Tim Hollebeek <tim.holleb...@digicert.com <mailto:tim.holleb...@digicert.com> > wrote: My only objection is that this will cause key generation to shift to partners and affiliates, who will almost certainly do an even worse job. > This is already a Mozilla requirement [1] - we're just moving it into the policy document. > If you want to ban key generation by anyone but the end entity, ban key generation by anyone but the end entity. > We've already debated this [2] and didn't come to that conclusion. > -Tim [1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/MRd8gDwGGA4/AC4xgZ9CBgAJ
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy