On Tuesday, March 28, 2017 at 3:46:05 PM UTC-4, Nick Lamb wrote: > In order for Symantec to reveal anybody's private keys they'd first need to > have those keys, which is already, IIRC forbidden in the BRs. So even proof > that Symantec routinely had these keys is a big deal.
>From what I can tell, this may be correct in the context of retainment. Many >CAs have provisions to generate the key on the behalf of the subscriber, >though. The wording of the section you're probably thinking of (6.1.2) is >tricky: > Parties other than the Subscriber SHALL NOT archive the Subscriber > Private Key without authorization by the Subscriber. So I guess you would need to see if the subscribers here authorized it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy