Doug, On Mon, May 7, 2018 at 11:24 AM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Ryan > > Hurst via dev-security-policy > > Sent: Friday, May 4, 2018 4:35 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on > CA key > > generation to policy) > > > > On Friday, May 4, 2018 at 1:00:03 PM UTC-7, Doug Beattie wrote: > > > First comments on this: "MUST be encrypted and signed; or, MUST have a > > password that..." > > > - Isn't the password the key used for encryption? I'm not sure if the > "or" > > makes sense since in both cases the password is the key for encryption > > > > There are modes of PKCS#12 that do not use passwords. > If you're stating that we should include the use of PKCS#12 that don't use > passwords and that are encrupted, then we need to define the parameters of > the key used for that purpose, > > > Would it be enough to say that "PKCS#12 files must employ an encryption key and algorithm that is sufficiently strong..." (add "key and")? > > > > - In general, I don't think PKCS#12 files are signed, so I'd leave > that out, a > > signature isn't necessary. I could be wrong... > > > > They may be, see: http://unmitigatedrisk.com/?p=543 > The requirement seems to imply it must be signed, and I don't think we > want that, do we? I think should remove "or signed" and that will permit > them to be signed, but not require it. > > That's not hoe I read it. The proposed language provides the option of 'encrypted and signed' or 'protected with a password'. Since your use case is 'protected with a password', there is no requirement for the file to be signed. > > > > > > > I'd still like to see a modification on the requirement: "password > MUST be > > transferred using a different channel than the PKCS#12 file". A user > should be > > able to download the P12 and password via HTTP. Can we add an exception > > for that? > > > > Why do you want to allow the use of HTTP? > Sorry, I meant HTTPS. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy