On 12/02/2008 08:16 PM, Ian G:
Right, CAs won't have the private keys, unless they do. I imagine a corporate CA can do what it likes, and doesn't need the consent of the user.
Sure, but they aren't in my list of CA roots.
And if my CA says "we got your private keys", then you have the choice of another CA.
It's considered a very bad practice I think. Are there any CAs in Mozilla NSS which have the users private keys?
Also, there is a silliness aspect to this. If the CAs are trusted not to issue false certs for users, why can't they be trusted to look after their private keys?
Perhaps because some countries have certain laws...
If you don't like that, places to change it would be Chokhani et al (RFC 3647) or the Mozilla policy, I guess.
The Mozilla CA policy is my domain...indeed are there CAs which perform "key escrow" without the consent of the user (or without the user having explicitly asked beforehand)?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
