[Servercert-wg] Subscriber key pair generation by the CA

Ben Wilson bwilson at mozilla.com
Wed May 27 07:25:53 MST 2020


Mozilla would obviously support an effort to include this prohibition ("CAs
MUST NOT generate the key pairs for end-entity certificates")  in the
browser alignment ballot.

On Wed, May 27, 2020 at 8:05 AM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This seems like something easy to add to the Browser Alignment draft
> ballot, and something Google would support.
>
> Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple?
> I'm loathe to add additional requirements after y'all already reviewed, but
> this does seem worth tackling.
>
> On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> All,
>>
>> tt seems to me there's an inconsistency between §5.2 of Mozilla Root
>> Policy, which very clearly prohibits CAs from generating Subscribers' key
>> pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows
>> that. It would seem logical, and should not harm any CAs, if it was
>> clarified in the BR that subscriber key pair generation by the CA is not
>> allowed, in line with the requirement set forth in Mozilla Root Policy.
>>
>> What do the people here think?
>>
>> Adriano
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> http://cabforum.org/mailman/listinfo/servercert-wg
>>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/a6c09f0c/attachment.html>


More information about the Servercert-wg mailing list