On Fri, May 4, 2018 at 1:25 PM Carl Mehner via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hey Doug, > > On Friday, May 4, 2018 at 3:00:03 PM UTC-5, Doug Beattie wrote: > > Hey Wayne, > > > > This should be a really easy thing, but it's not. > > > > First comments on this: "MUST be encrypted and signed; or, MUST have a > password that..." > > - Isn't the password the key used for encryption? I'm not sure if the > "or" makes sense since in both cases the password is the key for encryption > > The password is used through a round of hashes (or a pbkdf, depending on > the algorithm) to create a set of bits that are used as a key. (see > paragraph 6 here: https://www.cem.me/20150315-cert-binaries-6.html) > > > - In general, I don't think PKCS#12 files are signed, so I'd leave that > out, a signature isn't necessary. I could be wrong... > > That goes back to Ryan's comment here: > > https://groups.google.com/d/msg/mozilla.dev.security.policy/SYC0d1YgXtI/slRunsYbAgAJ > "PKCS#12 supports both symmetric and asymmetric key based protection also." > > > Yes, that is the intent. If my wording is poor, please suggest improvements. > > > > > I'd still like to see a modification on the requirement: "password MUST > be transferred using a different channel than the PKCS#12 file". A user > should be able to download the P12 and password via HTTP. Can we add an > exception for that? > > > I'd like to hear from others who think this is needed. > > What about "or a user supplied password"? > > Doesn't the current language already permit this? It does make sense if you're suggesting it to Doug as a workaround. > > -carl > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy