Thanks Gerv. Code signing certificates don't contain EKU of id-kp-serverAuth, id-kp-emailProtection so it's out of scope for the policy. I didn't take the statement "key pairs for signer" and narrow that down to "S/MIME signing", now I get it.
For S/MIME you said the Problematic Practices page permits CAs to generate keys, but to be clear, it's only permitted for the Encryption certificates, and not for S/MIME signature certificates. If you have one S/MIME cert for both signing and encryption then CAs must not generate the keys pairs. Is that right? > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Gervase > Markham via dev-security-policy > Sent: Wednesday, November 22, 2017 10:57 AM > To: [email protected] > Subject: Re: Forbidden Practices: Subscriber key generation > > On 14/11/17 21:53, Doug Beattie wrote > > The question is, if we issue Code Signing certificates via P12 files > > in compliance with the Code Signing standard, are we out of compliance > > with the Mozilla policy? How do you recommend we respond to this > > checklist question? > > Mozilla does not have policies relating to code signing. We would therefore > expect CAs to arrange things such that their code signing activities fall > outside > the scope of the Mozilla policy. The scope statement in the policy section > 1.1, > and it seems to me that the easiest technical way to achieve this is to do > code > signing activities under an intermediate which is technically constrained so > it > cannot issue email or server certs. > > > And the same for S/MIME and SSL certificates. If CAs generate and > > then securely distribute the keys to the subscribers using similar > > methods, is that permitted provided we implement similar security, or > > does that practice need to immediately stop? Your guidance in this > > area would be appreciated. > > For SSL, I would say it needs to immediately stop. Although see: > https://github.com/mozilla/pkipolicy/issues/107 > > For S/MIME, as you can see, the Problematic Practices page permits it. > > > Side question: Is there a deadline when you expect to receive > > self-assessments from all CAs? We've found that complying with the > > checklist means a major update to our CPS (among other things...), and > > I suspect most other CAs will also need a major update. > > I believe Kathleen did put a date in the CA Communication. If you need more > time, contact certificates@mozilla dot org with your good reasons :-) > > Gerv > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
