As I was reading this very interesting thread, I kept asking myself
"what are we trying to protect". Are we trying to protect a "Private
Key" or a "PKCS#12" file? I suppose the consensus of the community,
based mainly on compatibility issues, is that we can't avoid the
solution of a PKCS#12 file, so we need to figure out how to send this
file with reasonable security to the Subscriber.
We have two areas of concern:
1. How to prevent an attacker from getting the PKCS#12 file
2. If an attacker obtains the PKCS#12 file, make sure the encryption is
reasonable and endurable to practically sustain a decryption attempt
that would practically take longer to crack than the lifetime of the
Certificate
For area 1, the file must be distributed via secure channel. Some
recommendations:
1. Web page (protected by https) via authentication of the Subscriber
2. S/MIME encrypted email by using an existing Subscriber valid
Certificate
3. Some might also use pgp for S/MIME
4. Registered post, if delivered in a simple USB
5. Registered, or not registered post, if delivered in a FIPS 140-2
Level 3 USB drive
6. ...
7. ...
Do we need to expand on this list? What if there are other
equally-secure methods that we haven't listed? This definitely doesn't
look like a policy text to me. It describes very specific
practices/procedures that should be the CA's job to discover and
Auditor's to verify, but I also understand that in practice, some CAs
haven't demonstrated good judgment on these topics and auditors didn't
help either.
For area 2, obviously, if an attacker obtains the PKCS#12 file and has
infinite time, the key will be decrypted. I believe the discussion
resulted in two dominating factors:
* The encryption algorithms in the PKCS#12 file
* The password quality
For the encryption algorithms, I recommend that we defer to other
organization's guidelines, such as SOGIS, NIST or ETSI, that have
extensively studied the "strength" of encryption algorithms. I can't
tell if this community or Mozilla is confident enough to choose a
specific set of "approved" encryption algorithms.
For the password quality, we should follow the definition of a "Random
Value" as described in the Baseline Requirements
*"Random Value*: A value specified by a CA to the Applicant that
exhibits at least 112 bits of entropy."
And yes, I would also recommend the usage of a CSPRNG. With that said,
even if this process (performed by the CA) produces complex passwords
that contain special characters and (in an unlikely event) might take 20
minutes to type, it is still going to be used "just once" and the
Subscriber can then do whatever he/she wants with it. The Subscriber can
change the passphrase to "1234" for all we care. As far as the CA is
concerned, the main job is done. The file has been encrypted with a
reasonably secure algorithm and protected with a reasonably secure
passphrase.
Of course the passphrase will be delivered separately!
Finally, I would like to ask if the community thinks that it's
reasonable to put all of our protection efforts on area 2. If we raise
the bar on area 2 (the proper protection of the PKCS#12 file), we don't
need to worry "too much" about area 1. We could even send a file via
plain e-mail because it won't matter if the attacker obtains the file.
It is already encrypted securely. I would still recommend both but I
also understand the convenience of the Subscribers and the delivery
methods for some of these files in types of devices that I am not aware
of (IoT, some smart phones, etc).
Dimitris.