Hi Gerv and Kathleen, We're working on the Mozilla CA self-assessment checklist and referenced requirements you have placed on CAs. On your page of Forbidden or Problematic Practices [1], you state that CAs must not generate private keys for signer certificates. CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates.
The Code signing standard [2], section 10.2.4 permits CAs to generate private keys for code signing certificates. Specifically: If the CA or any Delegated Third Party is generating the Private Key on behalf of the Subscriber where the Private Keys will be transported to the Subscriber outside of the Signing Service's secure infrastructure, then the entity generating the Private Key MUST either transport the Private Key in hardware with an activation method that is equivalent to 128 bits of encryption or encrypt the Private Key with at least 128 bits of encryption strength. Allowed methods include using a 128-bit AES key to wrap the private key or storing the key in a PKCS 12 file encrypted with a randomly generated password of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols for transport. The question is, if we issue Code Signing certificates via P12 files in compliance with the Code Signing standard, are we out of compliance with the Mozilla policy? How do you recommend we respond to this checklist question? And the same for S/MIME and SSL certificates. If CAs generate and then securely distribute the keys to the subscribers using similar methods, is that permitted provided we implement similar security, or does that practice need to immediately stop? Your guidance in this area would be appreciated. Side question: Is there a deadline when you expect to receive self-assessments from all CAs? We've found that complying with the checklist means a major update to our CPS (among other things...), and I suspect most other CAs will also need a major update. Doug [1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices [2] https://casecurity.org/wp-content/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf Doug Beattie Product Mangement GMO GlobalSign, Inc. Portsmouth, NH USA _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
