On 14/11/17 21:53, Doug Beattie wrote > The question is, if we issue Code Signing certificates via P12 files > in compliance with the Code Signing standard, are we out of > compliance with the Mozilla policy? How do you recommend we respond > to this checklist question?
Mozilla does not have policies relating to code signing. We would therefore expect CAs to arrange things such that their code signing activities fall outside the scope of the Mozilla policy. The scope statement in the policy section 1.1, and it seems to me that the easiest technical way to achieve this is to do code signing activities under an intermediate which is technically constrained so it cannot issue email or server certs. > And the same for S/MIME and SSL certificates. If CAs generate and > then securely distribute the keys to the subscribers using similar > methods, is that permitted provided we implement similar security, or > does that practice need to immediately stop? Your guidance in this > area would be appreciated. For SSL, I would say it needs to immediately stop. Although see: https://github.com/mozilla/pkipolicy/issues/107 For S/MIME, as you can see, the Problematic Practices page permits it. > Side question: Is there a deadline when you expect to receive > self-assessments from all CAs? We've found that complying with the > checklist means a major update to our CPS (among other things...), > and I suspect most other CAs will also need a major update. I believe Kathleen did put a date in the CA Communication. If you need more time, contact certificates@mozilla dot org with your good reasons :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
