[Servercert-wg] Subscriber key pair generation by the CA
Ryan Sleevi
sleevi at google.com
Wed May 27 10:13:34 MST 2020
Yes :)
On Wed, May 27, 2020 at 12:58 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:
> Obviously this is intended to only be applicable for TLS Server
> Certificates (those that include the EKU id-kp-serverAuth), right?
>
> Dimitris.
>
> On 2020-05-27 5:25 μ.μ., Ben Wilson via Servercert-wg wrote:
>
> Mozilla would obviously support an effort to include this prohibition
> ("CAs MUST NOT generate the key pairs for end-entity certificates") in the
> browser alignment ballot.
>
> On Wed, May 27, 2020 at 8:05 AM Ryan Sleevi via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> This seems like something easy to add to the Browser Alignment draft
>> ballot, and something Google would support.
>>
>> Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple?
>> I'm loathe to add additional requirements after y'all already reviewed, but
>> this does seem worth tackling.
>>
>> On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> All,
>>>
>>> tt seems to me there's an inconsistency between §5.2 of Mozilla Root
>>> Policy, which very clearly prohibits CAs from generating Subscribers' key
>>> pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows
>>> that. It would seem logical, and should not harm any CAs, if it was
>>> clarified in the BR that subscriber key pair generation by the CA is not
>>> allowed, in line with the requirement set forth in Mozilla Root Policy.
>>>
>>> What do the people here think?
>>>
>>> Adriano
>>>
>>>
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> http://cabforum.org/mailman/listinfo/servercert-wg
>>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> http://cabforum.org/mailman/listinfo/servercert-wg
>>
>
> _______________________________________________
> Servercert-wg mailing listServercert-wg at cabforum.orghttp://cabforum.org/mailman/listinfo/servercert-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/6cdb43de/attachment.html>
More information about the Servercert-wg
mailing list