Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

[Enrico Entschew via dev-security-policy]

Am Montag, 30. April 2018 08:25:39 UTC+2 schrieb Buschart, Rufus:
> ---=== Intern ===---
> Hello!
> 
> I would like to suggest to rephrase the central sentence a little bit:
> 
> Original:
> 
> CAs MUST NOT distribute or transfer certificates in PKCS#12 form through 
> insecure electronic channels. The PKCS#12 file must have a  sufficiently 
> secure password, and the password must not be transferred  together with the 
> file.
> 
> Proposal:
> 
> CAs SHOULD NOT distribute or transfer certificates in PKCS#12 form through 
> insecure electronic channels. If the CA chooses to do so, the PKCS#12 file 
> SHALL have a  password containing at least 32 bit of output from a CSPRNG, 
> and the password SHALL be transferred using a different channel as the 
> PKCS#12 file.
> 
> 
> My proposal would allow a CA to centrally generate a P12 file, send it to the 
> Subject by unencrypted email and send the P12 pin as a SMS or Threema 
> message. This is an important use case if you want to have email encryption 
> on a mobile device that is not managed by a mobile device management system. 
> Additionally I made the wording a little bit more rfc2119-ish and made clear, 
> what defines a 'sufficiently secure password' as the original wording lets a 
> lot of room for 'interpretation'.
> 
> What do you think?
> 
> /Rufus
> 
> 
Absolutely understandable and meaningful. I support this change.
Enrico
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy