[Servercert-wg] Subscriber key pair generation by the CA

Jeremy Rowley jeremy.rowley at digicert.com
Thu May 28 18:07:08 MST 2020


Question. Would this be violated if the CA had software that was on prem at the client that incorporated a key gen tool? Technically it's the tool generating the key, but it is software provided by the CA. Is that considered a violation?
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org>
Sent: Thursday, May 28, 2020 4:03:31 PM
To: Clint Wilson <clintw at apple.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Subscriber key pair generation by the CA

https://github.com/sleevi/cabforum-docs/pull/25

On Thu, May 28, 2020 at 5:06 PM Clint Wilson <clintw at apple.com<mailto:clintw at apple.com>> wrote:
We’re supportive of incorporating this into the browser alignment ballot.
Thanks for spotting and raising this, Adriano!

On May 27, 2020, at 7:04 AM, Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>> wrote:

This seems like something easy to add to the Browser Alignment draft ballot, and something Google would support.

Mike, Clint: Do you have opinions here on behalf of Microsoft and Apple? I'm loathe to add additional requirements after y'all already reviewed, but this does seem worth tackling.

On Wed, May 27, 2020 at 9:37 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

All,

tt seems to me there's an inconsistency between §5.2 of Mozilla Root Policy, which very clearly prohibits CAs from generating Subscribers' key pairs for SSL Server certs, and §6.1.2 of the BR which seemingly allows that. It would seem logical, and should not harm any CAs, if it was clarified in the BR that subscriber key pair generation by the CA is not allowed, in line with the requirement set forth in Mozilla Root Policy.

What do the people here think?

Adriano


_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200529/e5fe50ec/attachment-0001.html>


More information about the Servercert-wg mailing list