Hi Gerv and Kathleen,
We're working on the Mozilla CA self-assessment checklist and referenced
requirements you have placed on CAs. On your page of Forbidden or Problematic
Practices [1], you state that CAs must not generate private keys for signer
certificates.
CAs must never generate the key pairs for signer or SSL certificates. CAs may
only generate the key pairs for SMIME encryption certificates.
The Code signing standard [2], section 10.2.4 permits CAs to generate private
keys for code signing certificates. Specifically:
If the CA or any Delegated Third Party is generating the Private Key on behalf
of the Subscriber where the Private Keys will be transported to the Subscriber
outside of the Signing Service's secure infrastructure, then the entity
generating the Private Key MUST either transport the Private Key in hardware
with an activation method that is equivalent to 128 bits of encryption or
encrypt the Private Key with at least 128 bits of encryption strength. Allowed
methods include using a 128-bit AES key to wrap the private key or storing the
key in a PKCS 12 file encrypted with a randomly generated password of more than
16 characters containing uppercase letters, lowercase letters, numbers, and
symbols for transport.
The question is, if we issue Code Signing certificates via P12 files in
compliance with the Code Signing standard, are we out of compliance with the
Mozilla policy? How do you recommend we respond to this checklist question?
And the same for S/MIME and SSL certificates. If CAs generate and then
securely distribute the keys to the subscribers using similar methods, is that
permitted provided we implement similar security, or does that practice need to
immediately stop? Your guidance in this area would be appreciated.
Side question: Is there a deadline when you expect to receive self-assessments
from all CAs? We've found that complying with the checklist means a major
update to our CPS (among other things...), and I suspect most other CAs will
also need a major update.
Doug
[1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
[2]
https://casecurity.org/wp-content/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf
Doug Beattie
Product Mangement
GMO GlobalSign, Inc.
Portsmouth, NH USA
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy