Fost1954 wrote: > Hence we would be grateful if you -being the experts here- came to a > clear result at some point...
Did you actually read my two responses? What exactly do you not understand? I personally don't know whether the current Mozilla implementation of crypto.generateCRMFRequest includes the private key of an encryption cert. But the CRMF standard defines a way for doing so (for CA-side key recovery/escrow services). So if you want to be sure that crypto.generateCRMFRequest is not used then turn off Javascript while going through the cert enrollment web interface which triggers key generation. Unfortunately Thawte's enrollment interface does not work without Javascript. So the answer is: The private key is currently not transferred but Thawte could silently change the behaviour of the cert enrollment web interface. So to be 100% sure you have to check that every time you go through this enrollment process. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto