[Servercert-wg] Subscriber key pair generation by the CA

Ryan Sleevi sleevi at google.com
Wed May 27 07:04:41 MST 2020


This seems like something easy to add to the Browser Alignment draft
ballot, and something Google would support.

Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple?
I'm loathe to add additional requirements after y'all already reviewed, but
this does seem worth tackling.

On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> All,
>
> tt seems to me there's an inconsistency between §5.2 of Mozilla Root
> Policy, which very clearly prohibits CAs from generating Subscribers' key
> pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows
> that. It would seem logical, and should not harm any CAs, if it was
> clarified in the BR that subscriber key pair generation by the CA is not
> allowed, in line with the requirement set forth in Mozilla Root Policy.
>
> What do the people here think?
>
> Adriano
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/3c90e2c6/attachment.html>


More information about the Servercert-wg mailing list