On Thu, Apr 02, 2015 at 12:34:55PM -0400, Phillip Hallam-Baker wrote: > On Thu, Apr 2, 2015 at 11:05 AM, Kurt Roeckx <[email protected]> wrote: > > On 2015-04-02 16:34, Phillip Hallam-Baker wrote: > >> > >> Further no private key should ever be in a network accessible device > >> unless the following apply: > >> > >> 1) There is a path length constraint that limits issue to EE certs. > >> 2) It is an end entity certificate. > > > > Why 1)? > > Can you state a use case that requires online issue of Key Signing Certs?
You suggested it, so I'm guessing you're asking yourself? The only use case I can think of is to be able to MITM people like we saw the firewall do here. If you want to do something like that the key should not have been signed by any CA that chains back to a root CA in the Mozilla root store, they should use a private CA for that. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
