[Servercert-wg] [EXTERNAL] Re: Subscriber key pair generation by the CA

Wed May 27 14:04:28 MST 2020

Microsoft would also support including this prohibition ("CAs MUST NOT generate the key pairs for end-entity certificates")  in the browser alignment ballot given this is intended to only be applicable for TLS Server Certificates (those that include the EKU id-kp-serverAuth).  Thanks, Mike

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Wednesday, May 27, 2020 10:14 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] Re: [Servercert-wg] Subscriber key pair generation by the CA

Yes :)

On Wed, May 27, 2020 at 12:58 PM Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>> wrote:
Obviously this is intended to only be applicable for TLS Server Certificates (those that include the EKU id-kp-serverAuth), right?

Dimitris.
On 2020-05-27 5:25 μ.μ., Ben Wilson via Servercert-wg wrote:
Mozilla would obviously support an effort to include this prohibition ("CAs MUST NOT generate the key pairs for end-entity certificates")  in the browser alignment ballot.

On Wed, May 27, 2020 at 8:05 AM Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
This seems like something easy to add to the Browser Alignment draft ballot, and something Google would support.

Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple? I'm loathe to add additional requirements after y'all already reviewed, but this does seem worth tackling.

On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

All,

tt seems to me there's an inconsistency between §5.2 of Mozilla Root Policy, which very clearly prohibits CAs from generating Subscribers' key pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows that. It would seem logical, and should not harm any CAs, if it was clarified in the BR that subscriber key pair generation by the CA is not allowed, in line with the requirement set forth in Mozilla Root Policy.

What do the people here think?

Adriano

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=02%7C01%7CMike.reilly%40microsoft.com%7Ca1b8ac0957e6417c376c08d802616502%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261964620700854&sdata=RJClL9cgS8YKnJTuVv9q4hzYNOn%2BRUAq%2FpDUVerGocQ%3D&reserved=0>
_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=02%7C01%7CMike.reilly%40microsoft.com%7Ca1b8ac0957e6417c376c08d802616502%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261964620700854&sdata=RJClL9cgS8YKnJTuVv9q4hzYNOn%2BRUAq%2FpDUVerGocQ%3D&reserved=0>

_______________________________________________

Servercert-wg mailing list

Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>

http://cabforum.org/mailman/listinfo/servercert-wg<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=02%7C01%7CMike.reilly%40microsoft.com%7Ca1b8ac0957e6417c376c08d802616502%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261964620710808&sdata=7d%2FEmbhHlX566IenHh0eHx4X4UlbMqGDlEiqQXxTI5I%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/44cb0adf/attachment.html>