On Tue, Apr 10, 2018 at 7:22 AM, Jürgen Brauckmann via dev-security-policy < [email protected]> wrote:
> > > Am 10.04.2018 um 01:10 schrieb Wayne Thayer via dev-security-policy: > >> Getting back to the earlier question about email certificates, I am now of >> the opinion that we should limit the scope of this policy update to TLS >> certificates. The current language for email certificates isn't clear and >> any attempt to fix it requires us to answer the bigger question of "under >> what circumstances is CA key generation acceptable?" >> >> My updated proposal is to add the following paragraphs to section 5.3 >> “Forbidden and Required Practices”: >> >> CAs MUST not generate the key pairs for end-entity certificates, except >> for >> >>> email certificates with the Extended Key Usage extension present and set >>> to >>> id-kp-emailProtection. >>> >> > > What about user certificates for logon/authentication? CN=John Doe, > extendedKeyUsage=clientAuth? Is that different from email certificates? > > Yes, but certificates with only the clientAuth EKU are out of scope according to section 1.1 of the Mozilla policy Wouldn't it be better to make that a positive list to really limit the > scope of the change? > > Yes, I think so. ===== > CAs MUST NOT generate the key pairs for end-entity certificates the scope > of the Baseline Requirements. > ===== > > But this is too vague. I propose that we add the following paragraphs to section 5.2: CAs MUST NOT generate the key pairs for end-entity certificates that have > EKU extension containing the KeyPurposeIds id-kp-serverAuth or > anyExtendedKeyUsage. > > CAs MUST NOT distribute or transfer certificates in PKCS#12 form through > insecure electronic channels. If a PKCS#12 file is distributed via a > physical data storage device, then: > * The storage must be packaged in a way that the opening of the package > causes irrecoverable physical damage. (e.g. a security seal) > * The PKCS#12 file must have a sufficiently secure password, and the > password must not be transferred together with the storage. Here it is on GitHub: https://github.com/mozilla/pkipolicy/commit/456f869a15b6b9ca9be1df1897852b0c508932c7 Are there any concerns with this approach? - Wayne Thanks, > Jürgen > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
