Gervase Markham: > Nelson Bolyard wrote: >> Do we really want to allow this? >> >> Should this at least be a question that CAs must answer as they apply >> for cert inclusion or EV status upgrades? > > At a minimum, please add it to the "Questionable CA practices" document > on the wiki. > > It doesn't sound particularly wise to me. What is the mechanism of > transmission for the PKCS12 file? Unencrypted email? HTTPS? >
From what I've heard about such practices is, that the PKX file is password protected and delivered by simple email. But obviously anybody getting hold of the mail and file can easily brute-force attack it with a simple script. I think this is the issue Nelson is addressing. Receiving a PKX file from a CA web site doesn't really involve the same risk. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
