On Wednesday 03 December 2008 12:22:19 Eddy Nigg wrote: > On 12/02/2008 08:16 PM, Ian G: > > Right, CAs won't have the private keys, unless they do. I imagine a > > corporate CA can do what it likes, and doesn't need the consent of the > > user. > > Sure, but they aren't in my list of CA roots. > > > And if my CA says "we > > got your private keys", then you have the choice of another CA. > > It's considered a very bad practice I think.
Eddy, could you expand on this point? I don't think WebTrust prohibits CAs from generating/retaining private keys for users. > Are there any CAs in Mozilla NSS which have the users private keys? Have a look at: http://www.globalsign.com/support/csr/autocsr.html > > Also, there is a silliness aspect to this. If the CAs are trusted not to > > issue false certs for users, why can't they be trusted to look after > > their private keys? > > Perhaps because some countries have certain laws... > > > If you don't like that, places to change it would be Chokhani et al (RFC > > 3647) or the Mozilla policy, I guess. > > The Mozilla CA policy is my domain...indeed are there CAs which perform > "key escrow" without the consent of the user (or without the user having > explicitly asked beforehand)? -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
