-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify "CAs MUST NOT generate the key pairs" section #225
Comments
It sounds like you’re not asking for point one to be clarified, but you’re asking it be reopened for debate/discussion, given past clarifications. The Baseline Requirements define the boundary of the CA, with respect to audit scope. If you don’t feel this is clear, perhaps you can more specifically highlight exact text with respect to the BRs and how that leads to ambiguity. In doing so, it’s also useful to think about negative consequences of any proposed definition or clarification you would like to suggest, such as CDNs, hosting providers, marketing or IT consultancies, or other forms of business relationships that may exist with the Applicant/Subscriber. Your second question, however, is difficult to make sense of. If something is MUST NOT, it’s unclear why there would need to be a list of allowed. All of these points would be best discussed on the list, so if you’d like to respond there and simply link here once started, that seems a good way to provide the most visibility to the discussion. |
Rather I would like to clarify/discuss if it should only apply to CAs or also to their resellers. The negative consequences are clear, but I think that we should also consider why this point was added in the first place and how it should impact key generation. Any CA that would want to generate keys for their customers can just come up with a structure for that and hide behind a reseller. This doesn't seem that unlikely since there are comments like:
Does this point even make sense then?
How do we define key generation or rather who is doing it? There are many different ways of generating key pairs, some using CA software running in the browser. When can we say that it's the CA (or the client) doing it? |
I think that it should take into consideration who has or can have access to the keys (maybe the possibility of CA software running on client device sending keys to the CA) and not only who is generating them? |
As I mentioned, it would be better to have this discussion on the list first to both have greater participation and better transparency, and because this appears to be reopening past (settled?) discussions. |
I think that this section needs clarification. There are two things that I would like clarified.
Related discussion:
https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
https://groups.google.com/g/mozilla.dev.security.policy/c/YyXBTE0harE/m/oJvzSu5CAAAJ
https://groups.google.com/g/mozilla.dev.security.policy/c/Xio6mrdxp2M/m/m38TJkblAgAJ
The text was updated successfully, but these errors were encountered: