[Servercert-wg] Subscriber key pair generation by the CA

Clint Wilson clintw at apple.com
Thu May 28 14:06:33 MST 2020


We’re supportive of incorporating this into the browser alignment ballot.
Thanks for spotting and raising this, Adriano! 

> On May 27, 2020, at 7:04 AM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> This seems like something easy to add to the Browser Alignment draft ballot, and something Google would support.
> 
> Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple? I'm loathe to add additional requirements after y'all already reviewed, but this does seem worth tackling.
> 
> On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
> All,
> 
> tt seems to me there's an inconsistency between §5.2 of Mozilla Root Policy, which very clearly prohibits CAs from generating Subscribers' key pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows that. It would seem logical, and should not harm any CAs, if it was clarified in the BR that subscriber key pair generation by the CA is not allowed, in line with the requirement set forth in Mozilla Root Policy. 
> 
> What do the people here think?
> 
> Adriano
> 
> 
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
> http://cabforum.org/mailman/listinfo/servercert-wg <http://cabforum.org/mailman/listinfo/servercert-wg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200528/25e2ac4a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200528/25e2ac4a/attachment.p7s>


More information about the Servercert-wg mailing list