Hi all, I have been doing some research recently and discovered a Chinese company offering various online tools for SSL certificates. Among which, I noticed its CSR generation tool and it reminded me of the discussions the community had before on certificate resellers and key security. https://groups.google.com/g/mozilla.dev.security.policy/c/Xio6mrdxp2M/m/m38TJkblAgAJ
This vendor provides CSR creation tool with two methods, online generation and browser generation. However, I'm not yet pretty sure about its implementation details and whether they will store the private keys generated. CSR Creation Tool: https://tools.imtrust.cn/#/cert-utils/csr_create.html Online Toolbox: https://tools.imtrust.cn/#/home I further checked the domain imtrust.cn and discovered an SSL online purchase platform https://order.imtrust.cn/ under this domain. And the vendor was found to be SHECA, a trusted CA and full member of CABF. It shows that, the order placement page also offers the option of CSR online generation. https://order.imtrust.cn/ This situation might be different from the previous discussion on reseller generating key pairs on behalf of end customers. Because SHECA is operating as a CA and offers CSR online generation tool. I'm not sure whether this site has been included into the audit scope and whether its operation and data protection schemes have been propoerly reviewed. It is also not clear that whether this practice violates the requirements of BR 6.1.1.3. I'd like to discuss this situation together and also request SHECA to provide a response regarding this matter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/04619b9c-1cfc-4b5b-bbd5-10be68189c6en%40mozilla.org.
