[Servercert-wg] Subscriber key pair generation by the CA

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed May 27 09:58:47 MST 2020 

Obviously this is intended to only be applicable for TLS Server
Certificates (those that include the EKU id-kp-serverAuth), right?

Dimitris.

On 2020-05-27 5:25 μ.μ., Ben Wilson via Servercert-wg wrote:
> Mozilla would obviously support an effort to include this prohibition
> ("CAs MUST NOT generate the key pairs for end-entity certificates") 
> in the browser alignment ballot.
>
> On Wed, May 27, 2020 at 8:05 AM Ryan Sleevi via Servercert-wg
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>
>     This seems like something easy to add to the Browser Alignment
>     draft ballot, and something Google would support.
>
>     Mike, Clint: Do you have opinions here on behalf of Microsoft and
>     Apple? I'm loathe to add additional requirements after y'all
>     already reviewed, but this does seem worth tackling.
>
>     On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg
>     <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>     wrote:
>
>         All,
>
>         tt seems to me there's an inconsistency between §5.2 of
>         Mozilla Root Policy, which very clearly prohibits CAs from
>         generating Subscribers' key pairs for SSL Server certs, and
>         §6.1.2 of the BR which seemingly allows that. It would seem
>         logical, and should not harm any CAs, if it was clarified in
>         the BR that subscriber key pair generation by the CA is not
>         allowed, in line with the requirement set forth in Mozilla
>         Root Policy.
>
>         What do the people here think?
>
>         Adriano
>
>
>         _______________________________________________
>         Servercert-wg mailing list
>         Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>         http://cabforum.org/mailman/listinfo/servercert-wg
>
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>     http://cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/a5476d3d/attachment.html>

More information about the Servercert-wg mailing list