Some thoughts: 1 - Should additional text be included to mandate strong cipher suites (http://unmitigatedrisk.com/?p=543) be used; it is not uncommon for me to find PKCS#12s with very weak cryptographic algorithms in use. Such guidance would be limited by Windows which does not support modern cryptographic algorithms for key protection but having some standard would be better than none though it would potentially hurt interoperability for those use cases if the chosen suites were not uniform.
2 - Should additional text be included to mandate the that CA resellers cannot be used as an escape to this requirement; e.g. today A CA may simply rely on a third-party to implement this practice to stay in conformance with the policy. 3 - Should additional text be included to require that the user provide part or all of the secrete used as the "password" on the PKCS#12 file and that CA cannot store the user provided value? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
