info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Forbidden Practices: Subscriber key generation
318 views
Skip to first unread message
Doug Beattie
Nov 14, 2017, 4:54:36 PM11/14/17
to mozilla-dev-security-policy
Hi Gerv and Kathleen,
We're working on the Mozilla CA self-assessment checklist and referenced requirements you have placed on CAs. On your page of Forbidden or Problematic Practices [1], you state that CAs must not generate private keys for signer certificates.
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates.
The Code signing standard [2], section 10.2.4 permits CAs to generate private keys for code signing certificates. Specifically:
If the CA or any Delegated Third Party is generating the Private Key on behalf of the Subscriber where the Private Keys will be transported to the Subscriber outside of the Signing Service's secure infrastructure, then the entity generating the Private Key MUST either transport the Private Key in hardware with an activation method that is equivalent to 128 bits of encryption or encrypt the Private Key with at least 128 bits of encryption strength. Allowed methods include using a 128-bit AES key to wrap the private key or storing the key in a PKCS 12 file encrypted with a randomly generated password of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols for transport.
The question is, if we issue Code Signing certificates via P12 files in compliance with the Code Signing standard, are we out of compliance with the Mozilla policy? How do you recommend we respond to this checklist question?
And the same for S/MIME and SSL certificates. If CAs generate and then securely distribute the keys to the subscribers using similar methods, is that permitted provided we implement similar security, or does that practice need to immediately stop? Your guidance in this area would be appreciated.
Side question: Is there a deadline when you expect to receive self-assessments from all CAs? We've found that complying with the checklist means a major update to our CPS (among other things...), and I suspect most other CAs will also need a major update.
Doug
[1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
[2] https://casecurity.org/wp-content/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf
Doug Beattie
Product Mangement
GMO GlobalSign, Inc.
Portsmouth, NH USA
We're working on the Mozilla CA self-assessment checklist and referenced requirements you have placed on CAs. On your page of Forbidden or Problematic Practices [1], you state that CAs must not generate private keys for signer certificates.
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates.
The Code signing standard [2], section 10.2.4 permits CAs to generate private keys for code signing certificates. Specifically:
If the CA or any Delegated Third Party is generating the Private Key on behalf of the Subscriber where the Private Keys will be transported to the Subscriber outside of the Signing Service's secure infrastructure, then the entity generating the Private Key MUST either transport the Private Key in hardware with an activation method that is equivalent to 128 bits of encryption or encrypt the Private Key with at least 128 bits of encryption strength. Allowed methods include using a 128-bit AES key to wrap the private key or storing the key in a PKCS 12 file encrypted with a randomly generated password of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols for transport.
The question is, if we issue Code Signing certificates via P12 files in compliance with the Code Signing standard, are we out of compliance with the Mozilla policy? How do you recommend we respond to this checklist question?
And the same for S/MIME and SSL certificates. If CAs generate and then securely distribute the keys to the subscribers using similar methods, is that permitted provided we implement similar security, or does that practice need to immediately stop? Your guidance in this area would be appreciated.
Side question: Is there a deadline when you expect to receive self-assessments from all CAs? We've found that complying with the checklist means a major update to our CPS (among other things...), and I suspect most other CAs will also need a major update.
Doug
[1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
[2] https://casecurity.org/wp-content/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf
Doug Beattie
Product Mangement
GMO GlobalSign, Inc.
Portsmouth, NH USA
Gervase Markham
Nov 22, 2017, 10:57:32 AM11/22/17
to mozilla-dev-s...@lists.mozilla.org
On 14/11/17 21:53, Doug Beattie wrote
therefore expect CAs to arrange things such that their code signing
activities fall outside the scope of the Mozilla policy. The scope
statement in the policy section 1.1, and it seems to me that the easiest
technical way to achieve this is to do code signing activities under an
intermediate which is technically constrained so it cannot issue email
or server certs.
> And the same for S/MIME and SSL certificates. If CAs generate and
> then securely distribute the keys to the subscribers using similar
> methods, is that permitted provided we implement similar security, or
> does that practice need to immediately stop? Your guidance in this
> area would be appreciated.
For SSL, I would say it needs to immediately stop. Although see:
https://github.com/mozilla/pkipolicy/issues/107
For S/MIME, as you can see, the Problematic Practices page permits it.
> Side question: Is there a deadline when you expect to receive
> self-assessments from all CAs? We've found that complying with the
> checklist means a major update to our CPS (among other things...),
> and I suspect most other CAs will also need a major update.
I believe Kathleen did put a date in the CA Communication. If you need
more time, contact certificates@mozilla dot org with your good reasons :-)
Gerv
> The question is, if we issue Code Signing certificates via P12 files
> in compliance with the Code Signing standard, are we out of
> compliance with the Mozilla policy? How do you recommend we respond
> to this checklist question?
Mozilla does not have policies relating to code signing. We would
> in compliance with the Code Signing standard, are we out of
> compliance with the Mozilla policy? How do you recommend we respond
> to this checklist question?
therefore expect CAs to arrange things such that their code signing
activities fall outside the scope of the Mozilla policy. The scope
statement in the policy section 1.1, and it seems to me that the easiest
technical way to achieve this is to do code signing activities under an
intermediate which is technically constrained so it cannot issue email
or server certs.
> And the same for S/MIME and SSL certificates. If CAs generate and
> then securely distribute the keys to the subscribers using similar
> methods, is that permitted provided we implement similar security, or
> does that practice need to immediately stop? Your guidance in this
> area would be appreciated.
https://github.com/mozilla/pkipolicy/issues/107
For S/MIME, as you can see, the Problematic Practices page permits it.
> Side question: Is there a deadline when you expect to receive
> self-assessments from all CAs? We've found that complying with the
> checklist means a major update to our CPS (among other things...),
> and I suspect most other CAs will also need a major update.
more time, contact certificates@mozilla dot org with your good reasons :-)
Gerv
Doug Beattie
Nov 22, 2017, 1:29:35 PM11/22/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
Thanks Gerv.
Code signing certificates don't contain EKU of id-kp-serverAuth, id-kp-emailProtection so it's out of scope for the policy. I didn't take the statement "key pairs for signer" and narrow that down to "S/MIME signing", now I get it.
For S/MIME you said the Problematic Practices page permits CAs to generate keys, but to be clear, it's only permitted for the Encryption certificates, and not for S/MIME signature certificates. If you have one S/MIME cert for both signing and encryption then CAs must not generate the keys pairs. Is that right?
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globals...@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: Wednesday, November 22, 2017 10:57 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Forbidden Practices: Subscriber key generation
>
> On 14/11/17 21:53, Doug Beattie wrote
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Code signing certificates don't contain EKU of id-kp-serverAuth, id-kp-emailProtection so it's out of scope for the policy. I didn't take the statement "key pairs for signer" and narrow that down to "S/MIME signing", now I get it.
For S/MIME you said the Problematic Practices page permits CAs to generate keys, but to be clear, it's only permitted for the Encryption certificates, and not for S/MIME signature certificates. If you have one S/MIME cert for both signing and encryption then CAs must not generate the keys pairs. Is that right?
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globals...@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: Wednesday, November 22, 2017 10:57 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Forbidden Practices: Subscriber key generation
>
> On 14/11/17 21:53, Doug Beattie wrote
> > The question is, if we issue Code Signing certificates via P12 files
> > in compliance with the Code Signing standard, are we out of compliance
> > with the Mozilla policy? How do you recommend we respond to this
> > checklist question?
>
> > in compliance with the Code Signing standard, are we out of compliance
> > with the Mozilla policy? How do you recommend we respond to this
> > checklist question?
>
> Mozilla does not have policies relating to code signing. We would therefore
> expect CAs to arrange things such that their code signing activities fall outside
> the scope of the Mozilla policy. The scope statement in the policy section 1.1,
> and it seems to me that the easiest technical way to achieve this is to do code
> signing activities under an intermediate which is technically constrained so it
> cannot issue email or server certs.
>
> expect CAs to arrange things such that their code signing activities fall outside
> the scope of the Mozilla policy. The scope statement in the policy section 1.1,
> and it seems to me that the easiest technical way to achieve this is to do code
> signing activities under an intermediate which is technically constrained so it
> cannot issue email or server certs.
>
> > And the same for S/MIME and SSL certificates. If CAs generate and
> > then securely distribute the keys to the subscribers using similar
> > methods, is that permitted provided we implement similar security, or
> > does that practice need to immediately stop? Your guidance in this
> > area would be appreciated.
>
> > then securely distribute the keys to the subscribers using similar
> > methods, is that permitted provided we implement similar security, or
> > does that practice need to immediately stop? Your guidance in this
> > area would be appreciated.
>
> For SSL, I would say it needs to immediately stop. Although see:
> https://github.com/mozilla/pkipolicy/issues/107
>
> For S/MIME, as you can see, the Problematic Practices page permits it.
>
> https://github.com/mozilla/pkipolicy/issues/107
>
> For S/MIME, as you can see, the Problematic Practices page permits it.
>
> > Side question: Is there a deadline when you expect to receive
> > self-assessments from all CAs? We've found that complying with the
> > checklist means a major update to our CPS (among other things...), and
> > I suspect most other CAs will also need a major update.
>
> > self-assessments from all CAs? We've found that complying with the
> > checklist means a major update to our CPS (among other things...), and
> > I suspect most other CAs will also need a major update.
>
> I believe Kathleen did put a date in the CA Communication. If you need more
> time, contact certificates@mozilla dot org with your good reasons :-)
>
> Gerv
> _______________________________________________
> time, contact certificates@mozilla dot org with your good reasons :-)
>
> Gerv
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
0 new messages