On Fri, Apr 27, 2018 at 6:40 AM, Enrico Entschew via dev-security-policy < [email protected]> wrote:
> I suggest to make the requirement „* The PKCS#12 file must have a > sufficiently secure password, and the password must be transferred via a > separate channel than the PKCS#12 file.” binding for both transfer methods > and not be limited to physical data storage. > Otherwise I agree with this proposal. > > Enrico > > That seems like a good and reasonable change, resulting in the following policy: CAs MUST NOT generate the key pairs for end-entity certificates that have EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage. CAs MUST NOT distribute or transfer certificates in PKCS#12 form through insecure electronic channels. The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the file. If a PKCS#12 file is distributed via a physical data storage device, then the storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal) Unless other comments are made, I'll consider this to be the conclusion of discussion on this topic. Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
