On Thu, Apr 2, 2015 at 12:50 PM, Kurt Roeckx <[email protected]> wrote: > On Thu, Apr 02, 2015 at 12:34:55PM -0400, Phillip Hallam-Baker wrote: >> On Thu, Apr 2, 2015 at 11:05 AM, Kurt Roeckx <[email protected]> wrote: >> > On 2015-04-02 16:34, Phillip Hallam-Baker wrote: >> >> >> >> Further no private key should ever be in a network accessible device >> >> unless the following apply: >> >> >> >> 1) There is a path length constraint that limits issue to EE certs. >> >> 2) It is an end entity certificate. >> > >> > Why 1)? >> >> Can you state a use case that requires online issue of Key Signing Certs? > > You suggested it, so I'm guessing you're asking yourself? > > The only use case I can think of is to be able to MITM people like > we saw the firewall do here. If you want to do something like > that the key should not have been signed by any CA that chains back > to a root CA in the Mozilla root store, they should use a private
Oh you mean why permit 1 at all? If that is not permitted it would be impossible for a CA to issue any end entity cert without an offline key ceremony. That is obviously impractical. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
