On Tuesday, March 28, 2017 at 3:46:05 PM UTC-4, Nick Lamb wrote:
> In order for Symantec to reveal anybody's private keys they'd first need to 
> have those keys, which is already, IIRC forbidden in the BRs. So even proof 
> that Symantec routinely had these keys is a big deal.

>From what I can tell, this may be correct in the context of retainment. Many 
>CAs have provisions to generate the key on the behalf of the subscriber, 
>though. The wording of the section you're probably thinking of (6.1.2) is 

> Parties       other than the Subscriber SHALL NOT archive the Subscriber 
> Private Key without authorization by the Subscriber.

So I guess you would need to see if the subscribers here authorized it.
dev-security-policy mailing list

Reply via email to