Re: New requirement: certlint testing

[Jakob Bohm]

More precisely, it is not that important for certificates whose
attributes were most certainly submitted to the CA by a highly
controlled and non-malicious internal source within the CA
organization, such as the certificates of other internal CA
certificates (internal sub-CAs and the self-signed CA cert)
OCSP signers etc.

It remains an important security measure when signing anything
requested from outside, including 3rd party sub-CA certificates, cross
certificates for the roots of other CAs, certificates for more remote
parts of the CA's organization (such as certificates for the Symantec
software business issued by a Symantec owned CA) etc.

The fact that recent NSS code no longer checks the AKI, only the Issuer
DN, makes the precise value of other identifying properties in a root
cert even less important to Mozilla (but note that this bug does not
apply to all users of the Mozilla CA list).


On 11/02/2016 15:05, Mads Egil Henriksveen wrote:

The entropy requirement is not that important for certificates signed by a Root CA, 
because a Root CA and its private key must be kept offline or air gapped and will not be 
exposed to the same threats as an "online CA" signing Subscriber certificates.

The main cause for the entropy requirement is to protect against (hash) 
collision attacks and I don't see this as an actual threat to a Root CA.

Regards
Mads

-----Original Message-----
From: dev-security-policy 
[mailto:dev-security-policy-bounces+mads.henriksveen=buypass...@lists.mozilla.org]
 On Behalf Of Kurt Roeckx
Sent: 9. februar 2016 17:58
To: Medin, Steven
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
Subject: Re: New requirement: certlint testing

On Tue, Feb 09, 2016 at 09:31:22AM -0500, Medin, Steven wrote:

How does the diffusion of early toBeSigned entropy create value for an
event performed once?

I'm not sure I understand the question.  The BR have this 20 bit of entropy for 
all certificates.  But it's a SHOULD not a MUST.
And I guess for CAs that don't sign subscriber certificate it's not that 
important.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy