Clarify "CAs MUST NOT generate the key pairs" section

[mimi89999]

I think that this section needs clarification. There are two things that I would like clarified.

1. What does CAs mean? Should partners and resellers also respect that?
2. What are the allowed and prohibited ways of generating key pairs? How do we decide who generates them? Based on who started the process of generation? Is it important whether it was generated on client device or CA infra? What if it's generated on client device using CA software that then sends the keys to the CA?

Related discussion:
https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
https://groups.google.com/g/mozilla.dev.security.policy/c/YyXBTE0harE/m/oJvzSu5CAAAJ
https://groups.google.com/g/mozilla.dev.security.policy/c/Xio6mrdxp2M/m/m38TJkblAgAJ

[sleevi]

It sounds like you’re not asking for point one to be clarified, but you’re asking it be reopened for debate/discussion, given past clarifications.

The Baseline Requirements define the boundary of the CA, with respect to audit scope. If you don’t feel this is clear, perhaps you can more specifically highlight exact text with respect to the BRs and how that leads to ambiguity. In doing so, it’s also useful to think about negative consequences of any proposed definition or clarification you would like to suggest, such as CDNs, hosting providers, marketing or IT consultancies, or other forms of business relationships that may exist with the Applicant/Subscriber.

Your second question, however, is difficult to make sense of. If something is MUST NOT, it’s unclear why there would need to be a list of allowed.

All of these points would be best discussed on the list, so if you’d like to respond there and simply link here once started, that seems a good way to provide the most visibility to the discussion.

[mimi89999]

The Baseline Requirements define the boundary of the CA, with respect to audit scope. If you don’t feel this is clear, perhaps you can more specifically highlight exact text with respect to the BRs and how that leads to ambiguity. In doing so, it’s also useful to think about negative consequences of any proposed definition or clarification you would like to suggest, such as CDNs, hosting providers, marketing or IT consultancies, or other forms of business relationships that may exist with the Applicant/Subscriber.

Rather I would like to clarify/discuss if it should only apply to CAs or also to their resellers. The negative consequences are clear, but I think that we should also consider why this point was added in the first place and how it should impact key generation. Any CA that would want to generate keys for their customers can just come up with a structure for that and hide behind a reseller. This doesn't seem that unlikely since there are comments like:
https://bugzilla.mozilla.org/show_bug.cgi?id=1699756#c1

First, ZeroSSL is not a CA.

Does this point even make sense then?

Your second question, however, is difficult to make sense of. If something is MUST NOT, it’s unclear why there would need to be a list of allowed.

How do we define key generation or rather who is doing it? There are many different ways of generating key pairs, some using CA software running in the browser. When can we say that it's the CA (or the client) doing it?

[mimi89999]

How do we define key generation or rather who is doing it? There are many different ways of generating key pairs, some using CA software running in the browser. When can we say that it's the CA (or the client) doing it?

I think that it should take into consideration who has or can have access to the keys (maybe the possibility of CA software running on client device sending keys to the CA) and not only who is generating them?

[sleevi]

As I mentioned, it would be better to have this discussion on the list first to both have greater participation and better transparency, and because this appears to be reopening past (settled?) discussions.