Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

Wed, 25 Apr 2018 08:02:49 -0700 

On 20/04/2018 21:59, Wayne Thayer wrote:

On Tue, Apr 17, 2018 at 6:10 AM, Buschart, Rufus via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


I believe the wording "insecure electronic channels" leaves a lot of space
for interpretation. In corporate PKIs for email encryption it is quite
common to transfer centrally generated email encryption p12-files to mobile
device management systems, email encryption gateways or directly to mobile
devices using a wide variety of 'electronic channels'. From the proposed
wording it doesn't seem to be clear which of those channels are 'insecure'
and which not. Even if not that common, the same applies for email
signature p12-files for e.g. email signature on mail gateways or mobile
devices. Most of the mobile devices out in the field neither support
hardware token, key-pair-generation in the mailer software nor installation
of downloaded p12-files (prohibited by app sandboxing).

Maybe it would be possible to restrict the new wording to the EKU
kp-ServerAuth first and have a detailed discussion about email-encryption
and user authentication with more interested parties in the next months?



Again, this is not new wording. It's already a requirement:
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files

Having said that, could we instead be more specific by replacing "insecure
electronic channels" with "unencrypted email"? Limiting the scope of this
statement to id-kp-serverAuth is meaningless since we forbid CA key
generation for server certificates.



That would allow unencrypted HTTP, unencrypted FTP, unencrypted TFTP
etc. etc.  It would also allow 40 bit encrypted connections (they are
insecure but unencrypted).  The list of insecure electronic channels is
infinite.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to