Thanks Gerv.
Code signing certificates don't contain EKU of id-kp-serverAuth, id-kp-emailProtection so it's out of scope for the policy. I didn't take the statement "key pairs for signer" and narrow that down to "S/MIME signing", now I get it.
For S/MIME you said the Problematic Practices page permits CAs to generate keys, but to be clear, it's only permitted for the Encryption certificates, and not for S/MIME signature certificates. If you have one S/MIME cert for both signing and encryption then CAs must not generate the keys pairs. Is that right?
> > The question is, if we issue Code Signing certificates via P12 files
> > in compliance with the Code Signing standard, are we out of compliance
> > with the Mozilla policy? How do you recommend we respond to this
> > checklist question?
>
> Mozilla does not have policies relating to code signing. We would therefore
> expect CAs to arrange things such that their code signing activities fall outside
> the scope of the Mozilla policy. The scope statement in the policy section 1.1,
> and it seems to me that the easiest technical way to achieve this is to do code
> signing activities under an intermediate which is technically constrained so it
> cannot issue email or server certs.
>
> > And the same for S/MIME and SSL certificates. If CAs generate and
> > then securely distribute the keys to the subscribers using similar
> > methods, is that permitted provided we implement similar security, or
> > does that practice need to immediately stop? Your guidance in this
> > area would be appreciated.
>
> > Side question: Is there a deadline when you expect to receive
> > self-assessments from all CAs? We've found that complying with the
> > checklist means a major update to our CPS (among other things...), and
> > I suspect most other CAs will also need a major update.
>
> I believe Kathleen did put a date in the CA Communication. If you need more
> time, contact certificates@mozilla dot org with your good reasons :-)
>
> Gerv
> _______________________________________________
> dev-security-policy mailing list
>
dev-secur...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security-policy