CRMF is the mechanism by which a CA can request escrow. It is the ONLY mechanism by which a CA can request escrow.
Even when CRMF is not disabled, there is always a dialog that comes up when a CA requests escrow. This has been answered several times in this thread. -Kyle H 2009/1/8 Fost1954 <fost19...@googlemail.com>: > Bob wrote: "So it turns out even with crmf, escrow does not happen quietly. > If the CA requests a key be escrowed, the user is notified:" > > Sorry, Bob, but it becomes too technical for my knowledge, I do not know > what crmf is, nor do I know what tokens etc.are, so speaking honestly: I do > not understand your conclusion, even though the words "escrow does not > happen quietly" sound positive. > Could you or any Firefox developer/programmer answer to my question (see > below): > > 1. Is there a dev-tech-crypto / Firefox developer/programmer who wants to > confirm Kaspar Band's idea that "running Firefox in "Safe > Mode" when generating the key as well as requesting the Certificate with > Thawte does securely prevent unnotified private key transmission ? > > I do not want to be offending, but a simple "I think so"-answer does not > satisfy most of the Firefox-Thawte Users,... > > > Thank you ! > > > > 2009/1/7 Robert Relyea <rrel...@redhat.com> >> >> Eddy Nigg wrote: >>> >>> On 12/27/2008 12:44 AM, Subrata Mazumdar: >>>> >>>> A related question: >>>> Is it possible to configure the NSS Soft-Token associated with the >>>> internal slot like smart-card based token so that the private key key >>>> cannot be exported out of the token? >>>> If not, would it be useful feature to support? >> >> Even in the token case, this is only true if the key was generated in the >> token. If 'key recovery' is turned on, NSS generates the key in softoken and >> writes it to the token (after wrapping it with the escrow key). >> >> So it turns out even with crmf, escrow does not happen quietly. If the CA >> requests a key be escrowed, the user is notified: >> >> >> http://mxr.mozilla.org/firefox/source/security/manager/ssl/src/nsCrypto.cpp#1905 >> >> bob >> _______________________________________________ >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto