<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="-webkit-text-size-adjust: auto;">We are one of the CAs that offer this as an option. </div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">We generate the associated keys in a HSM.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">For distributing the key material we use a split secret as the password for a PKCS12 where one part is randomly generated and the other is supplied by the customer.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">We never store these values.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">The PKCS12 is downloaded by the customer in their authenticated session over SSL.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Once downloaded we delete the PKCS12.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">We offer this for the reasons that Erwann calls out.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Sometimes customers are not in a situation where they can control the software or hardware that is used on the machines where one would want them to generate keys in a perfect world.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I also agree that Dual_EC_DRBG is a totally separate issue from the NIST curves but I also would like to see us in a position to include other ECC curves.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div><span style="-webkit-text-size-adjust: auto;"><a href="http://safecurves.cr.yp.to">http://safecurves.cr.yp.to</a> </span><br><br><span style="-webkit-text-size-adjust: auto;">Ryan Hurst</span><div style="-webkit-text-size-adjust: auto;"><div style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">Chief Technology Officer</div><div style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">GMO Globalsign</div><div style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><br></div><div><span style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">twitter: @rmhrisk</span></div><div>email: <a href="mailto:ryan.hurst@globalsign.com">ryan.hurst@globalsign.com</a></div><div>phone: 206-650-7926</div><div><br></div><div>Sent from my phone, please forgive the brevity.</div></div></div><div style="-webkit-text-size-adjust: auto;"><br>On Nov 6, 2013, at 7:09 AM, Erwann Abalea <<a href="mailto:erwann.abalea@keynectis.com">erwann.abalea@keynectis.com</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto;"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">Le 06/11/2013 14:59, Håvard Molland a
écrit :<br>
</div>
<blockquote cite="mid:527A4B2C.1000800@opera.com" type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/05/2013 10:16 PM, Ben Wilson
wrote:<br>
</div>
<blockquote cite="mid:gvuvud5so3jrhxcao71gi38e.1383686208078@email.android.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Besides reviewing working group status, new web site, and draft
bylaws, which I'll send out soon, what other hot topics should
we add to Thursday's discussion? Remember, it will be an hour
earlier for most of you.<br>
</blockquote>
<br>
I would like that we discuss that some CAs generate the site
certificate's private key for their customers. It is my opinion
that this breaks the trust model and, especially in the light of
recent events, I believe this is a bad practice. <br>
</blockquote>
<br>
In the light of older published results (weak Debian keys, lack of
entropy on some devices as explained in the "Mining your P's and
Q's" and subsequent papers), it can also be seen as a good practice.
We at Keynectis don't do that, but I can accept the positive
arguments for such practices.<br>
<br>
<blockquote cite="mid:527A4B2C.1000800@opera.com" type="cite"> We
could also discuss elliptic curves and recent worries that certain
curve constants might have been manipulated:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://slashdot.org/submission/2947823/are-the-nist-standard-elliptic-curves-back-doored">http://slashdot.org/submission/2947823/are-the-nist-standard-elliptic-curves-back-doored</a><br>
</blockquote>
<br>
Please distinguish the Dual_EC_DRBG and NIST curves concerns.
Dual_EC_DRBG has certainly been weakened, while there's still some
doubts regarding NIST curves. Maybe it's time to allow for other
curves, Brainpool ones come to mind (RFC5639).<br>
<br>
</div></blockquote><blockquote type="cite" style="-webkit-text-size-adjust: auto;"><div><span>_______________________________________________</span><br><span>Public mailing list</span><br><span><a href="mailto:Public@cabforum.org">Public@cabforum.org</a></span><br><span><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></span><br></div></blockquote></body></html>