>From: Wayne Thayer [mailto:wtha...@mozilla.com] >Sent: Monday, May 7, 2018 8:43 PM >To: Doug Beattie <doug.beat...@globalsign.com> >Cc: Ryan Hurst <ryan.hu...@gmail.com>; mozilla-dev-security-policy ><mozilla-dev-security->pol...@lists.mozilla.org> >Subject: Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key >generation to policy) > >Doug, > >On Mon, May 7, 2018 at 11:24 AM Doug Beattie via dev-security-policy ><mailto:dev-security->pol...@lists.mozilla.org> wrote: >> -----Original Message----- >> From: dev-security-policy [mailto:mailto:dev-security-policy- >> bounces+doug.beattie=mailto:globalsign....@lists.mozilla.org] On Behalf Of >> Ryan >> Hurst via dev-security-policy >> Sent: Friday, May 4, 2018 4:35 PM >> To: mailto:mozilla-dev-security-pol...@lists.mozilla.org >> Subject: Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key >> generation to policy) >> >> On Friday, May 4, 2018 at 1:00:03 PM UTC-7, Doug Beattie wrote: >> > First comments on this: "MUST be encrypted and signed; or, MUST have a >> password that..." >> > - Isn't the password the key used for encryption? I'm not sure if the "or" >> makes sense since in both cases the password is the key for encryption >> >> There are modes of PKCS#12 that do not use passwords. >If you're stating that we should include the use of PKCS#12 that don't use >passwords and that are >encrupted, then we need to define the parameters of the key used for that >purpose, > >Would it be enough to say that "PKCS#12 files must employ an encryption key >and algorithm that is >sufficiently strong..." (add "key and")? Sure, that works for me.
>> > - In general, I don't think PKCS#12 files are signed, so I'd leave that >> > out, a >> signature isn't necessary. I could be wrong... >> >> They may be, see: http://unmitigatedrisk.com/?p=543 >The requirement seems to imply it must be signed, and I don't think we want >that, do we? I think >should remove "or signed" and that will permit them to be signed, but not >require it. > > That's not hoe I read it. The proposed language provides the option of >'encrypted and signed' or >protected with a password'. Since your use case is 'protected with a >password', there is no requirement >for the file to be signed. OK >> >> > >> > I'd still like to see a modification on the requirement: "password MUST be >> transferred using a different channel than the PKCS#12 file". A user should >> be >> able to download the P12 and password via HTTP. Can we add an exception >> for that? >> >> Why do you want to allow the use of HTTP? >Sorry, I meant HTTPS. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy