Am Montag, 30. April 2018 08:25:39 UTC+2 schrieb Buschart, Rufus: > ---=== Intern ===--- > Hello! > > I would like to suggest to rephrase the central sentence a little bit: > > Original: > > CAs MUST NOT distribute or transfer certificates in PKCS#12 form through > insecure electronic channels. The PKCS#12 file must have a sufficiently > secure password, and the password must not be transferred together with the > file. > > Proposal: > > CAs SHOULD NOT distribute or transfer certificates in PKCS#12 form through > insecure electronic channels. If the CA chooses to do so, the PKCS#12 file > SHALL have a password containing at least 32 bit of output from a CSPRNG, > and the password SHALL be transferred using a different channel as the > PKCS#12 file. > > > My proposal would allow a CA to centrally generate a P12 file, send it to the > Subject by unencrypted email and send the P12 pin as a SMS or Threema > message. This is an important use case if you want to have email encryption > on a mobile device that is not managed by a mobile device management system. > Additionally I made the wording a little bit more rfc2119-ish and made clear, > what defines a 'sufficiently secure password' as the original wording lets a > lot of room for 'interpretation'. > > What do you think? > > /Rufus > > Absolutely understandable and meaningful. I support this change. Enrico _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy
Enrico Entschew via dev-security-policy Mon, 30 Apr 2018 05:36:08 -0700
- Re: Poli... Wayne Thayer via dev-security-policy
- RE: Poli... Tim Hollebeek via dev-security-policy
- RE: Poli... Doug Beattie via dev-security-policy
- Re: Poli... Ryan Hurst via dev-security-policy
- Re: Poli... Ryan Hurst via dev-security-policy
- RE: Poli... Tim Hollebeek via dev-security-policy
- Re: Poli... Ryan Hurst via dev-security-policy
- Re: Poli... Wayne Thayer via dev-security-policy
- Re: Poli... Carl Mehner via dev-security-policy
- RE: Poli... Tim Hollebeek via dev-security-policy
- Re: Poli... Enrico Entschew via dev-security-policy
- RE: Policy 2.6 Proposal: Add prohi... Doug Beattie via dev-security-policy
- Re: Policy 2.6 Proposal: Add ... Wayne Thayer via dev-security-policy
- RE: Policy 2.6 Proposal: ... Buschart, Rufus via dev-security-policy