Closed Bug 471037 Opened 16 years ago Closed 16 years ago

Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: farsons2003, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Dear Firefox Developers, Using Firefox we would like to generate Thawte X.509 E-Mail Certificates. When generating the Private/Public key pair using Firefox as well as requesting the certificate, we are logged in on the Thawte Website. Our security relevant question: Which data is transmitted to Thawte during the Private/Public key pair and certificate generation process using Firefox and Thawte ? Does Firefox send to Thawte any form of “private” key during this process, or not ? If the private key was transmitted to Thawte, in theory a Thawte staff member –would he gain access to the private key at thawte- could decrypt emails encrypted by us, or sign an email in our names … We would be happy to understand better the key and certificate generation process using Firefox (and Thawte), considering the security critical point mentioned above. Thank you in advance, Proud Firefox users Reproducible: Always Steps to Reproduce: 1.Login to thawte and generate Private/public X.509 key pair and certificate Actual Results: Typical Thawte X.509 E-Mail Certificate generation process Expected Results: Which data is transmitted to Thawte during the Private/Public key pair and certificate generation process using Firefox being logged in at Thawte ? Does Firefox send to Thawte any form of “private” key during this process, or not ?
This is a question and not a bug. Please use the newsgroups via nntp://news.mozilla.org for newsgroup clients or https://lists.mozilla.org/listinfo for email access. dev.tech.crypto should be an appropriate place to ask. I suspect the answer will be to ask Thawte about their process for generating and sending keys to clients.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
An answer from the Dev.Tech-crypto Mozilla (Developer) Goolge Group to this subject can be found here: Hope it clarifies: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_frm/thread/e885d0624ab4ffe9 http://groups.google.com/group/mozilla.dev.tech.crypto/tree/browse_frm/thread/e885d0624ab4ffe9/81852e18ac2d0cbe?rnum=41&_done=%2Fgroup%2Fmozilla.dev.tech.crypto%2Fbrowse_frm%2Fthread%2Fe885d0624ab4ffe9%3F#doc_36c4b5c7f5925223 Also a short citation: "Thank you, ecellent dickussion and conclusion we arrived to. I understand the general consensus is that the statement about unnotified key transmission [...] is correct, saying: "I know of no way", rather than "there is no way". (As Nelson Bolyard wrote). We are all aware that there is no 100% answer (as always in life), but I assume your knowledge has some weight. "
You need to log in before you can comment on or make changes to this bug.