xbcvb cvbcvbvcb wrote: > Using Firefox we would like to generate Thawte X.509 E-Mail Certificates. > > When generating the Private/Public key pair using Firefox as well as > requesting > the certificate, we are logged in on the Thawte Website. > > *Our security relevant question:* > Which data is transmitted to Thawte during the Private/Public key pair and > > certificate generation process using Firefox (and Thawte) ? > > *Does Firefox send to Thawte any form of "private" key during this process, or > not ?*
I don't think so and I checked it today. The SPKAC blob with the public key seems to be transferred (examined it with livehttpheaders and dumpasn1). But as I wrote in my other posting they unfortunately seem to not use the static HTML <keygen> tag and the process does not function without Javascript. So they could silently change the behaviour of the enrollment interface to use the CRMFRequest Javascript call. IIRC the CRMFRequest could contain the private key. (Any good Javascript tracer for Seamonkey 1.1.x out there?) I'd love to have an option to forbid CRMFRequest calls... Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
