On Wed, Apr 4, 2018 at 3:15 PM, Ryan Hurst via dev-security-policy < [email protected]> wrote:
> Some thoughts: > > 1 - Should additional text be included to mandate strong cipher suites ( > http://unmitigatedrisk.com/?p=543) be used; it is not uncommon for me to > find PKCS#12s with very weak cryptographic algorithms in use. Such guidance > would be limited by Windows which does not support modern cryptographic > algorithms for key protection but having some standard would be better than > none though it would potentially hurt interoperability for those use cases > if the chosen suites were not uniform. > > Do we even need the section on PKCS12? It seems like an edge case to me. 2 - Should additional text be included to mandate the that CA resellers > cannot be used as an escape to this requirement; e.g. today A CA may simply > rely on a third-party to implement this practice to stay in conformance > with the policy. > > I'm of the opinion, as expressed by others in the Trustico thread, that we should not attempt to set policy for resellers. It would be quite difficult to enforce, and as you pointed out in that thread, quite difficult to distinguish a reseller that is also managing the certificate (e.g. a hosting provider). 3 - Should additional text be included to require that the user provide > part or all of the secrete used as the "password" on the PKCS#12 file and > that CA cannot store the user provided value? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
