[Servercert-wg] Subscriber key pair generation by the CA

Ryan Sleevi sleevi at google.com
Thu May 28 15:03:31 MST 2020


https://github.com/sleevi/cabforum-docs/pull/25

On Thu, May 28, 2020 at 5:06 PM Clint Wilson <clintw at apple.com> wrote:

> We’re supportive of incorporating this into the browser alignment ballot.
> Thanks for spotting and raising this, Adriano!
>
> On May 27, 2020, at 7:04 AM, Ryan Sleevi <sleevi at google.com> wrote:
>
> This seems like something easy to add to the Browser Alignment draft
> ballot, and something Google would support.
>
> Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple?
> I'm loathe to add additional requirements after y'all already reviewed, but
> this does seem worth tackling.
>
> On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> All,
>>
>> tt seems to me there's an inconsistency between §5.2 of Mozilla Root
>> Policy, which very clearly prohibits CAs from generating Subscribers' key
>> pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows
>> that. It would seem logical, and should not harm any CAs, if it was
>> clarified in the BR that subscriber key pair generation by the CA is not
>> allowed, in line with the requirement set forth in Mozilla Root Policy.
>>
>> What do the people here think?
>>
>> Adriano
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> http://cabforum.org/mailman/listinfo/servercert-wg
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200528/8c3fb7cb/attachment.html>


More information about the Servercert-wg mailing list