The optimist in me thinks we might be getting close to resolving this issue (the last one remaining for the 2.6 policy update). Here is another proposal that attempts to account for most of the input we've received:
Add the following to section 5.2 (Forbidden and Required Practices): CAs MUST NOT generate the key pairs for end-entity certificates that have > an EKU extension containing the KeyPurposeIds id-kp-serverAuth or > anyExtendedKeyUsage. > > PKCS#12 files must employ an encryption algorithm that is sufficiently > strong to protect the key pair for its useful life based on current > guidelines published by a recognized standards body. PKCS#12 files MUST be > encrypted and signed; or, MUST have a password that exhibits at least 112 > bits of entropy, and the password MUST be transferred using a different > channel than the PKCS#12 file. > This isn't perfect. I would appreciate your comments if you have significant concerns with this proposed policy. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
