[cryptography] what has the NSA broken?

Ralph Holz holz at net.in.tum.de
Fri Sep 6 09:58:50 EDT 2013


On 09/06/2013 07:12 AM, James A. Donald wrote:
> Most private keys are issued by, not merely certified by, the CAs.

Can you give numerical evidence for this claim?

The CAs I work with - StartSSL and DFN - either allow to send CSRs or
use the HTML keygen method. I'd be surprised if a majority of CAs
insisted on generating the key for you.

The Baseline Requirements by CABForum furthermore state that a CA must
not archive the private keys.


Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
Phone +
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list