Le mardi 24 mars 2015 09:59:47 UTC+1, Gervase Markham a écrit : > On 24/03/15 00:00, Peter Bowen wrote: [...] > > - What response has their been from CNNIC on this issue? How do they > > explain issuing a subordinate CA certificate with a private key not > > being on a HSM meeting the Baseline Requirements? > > Good question. For those following along, this is Baseline Requirements > 16.6: > > 16.6 Private Key Protection > > The CA SHALL protect its Private Key in a system or device that has been > validated as meeting at least FIPS 140 level 3 or an appropriate Common > Criteria Protection Profile or Security Target, EAL 4 (or higher), which > includes requirements to protect the Private Key and other assets > against known threats. The CA SHALL implement physical and logical > safeguards to prevent unauthorized certificate issuance. Protection of > the Private Key outside the validated system or device specified above > MUST consist of physical security, encryption, or a combination of both, > implemented in a manner that prevents disclosure of the Private Key. > > (And, just to be clear, from the definitions: "Certification Authority: > An organization that is responsible for the creation, issuance, > revocation, and management of Certificates. The term applies equally > to both Roots CAs and Subordinate CAs.")
See also Mozilla CA Policy, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/, point 10. This unconstrained sub-CA MUST have been audited and disclosed to Mozilla *before* it was able to issue certificates. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
