We should allow someone to obtain/view the P12 password and to download the P12 over an authenticated web site (managed portal), and that seems to be precluded by the definition below.
Doug
From: Tim Hollebeek [mailto:
tim.ho...@digicert.com]
Sent: Monday, April 30, 2018 3:05 PM
To: Wayne Thayer <
wth...@mozilla.com>
Cc: Doug Beattie <
doug.b...@globalsign.com>; Buschart, Rufus <
rufus.b...@siemens.com>; mozilla-dev-security-policy <
mozilla-dev-s...@lists.mozilla.org>; Wichmann, Markus Peter <
markus....@siemens.com>; Enrico Entschew <
enr...@entschew.com>; Grotz, Florian <
floria...@siemens.com>; Heusler, Juergen <
juergen...@siemens.com>
Subject: RE: Policy 2.6 Proposal: Add prohibition on CA key generation to policy
OOB passwords are generally tough to integrate into automation, and if the channel really is “secure” then they might not be buying you anything, depending where the “secure” channel starts and ends and how it is authenticated.
That might not be a GOOD reason to allow it, but it is the one reason that comes to mind. Taking the other side, I’d argue that it’s unlikely that the “secure” channel stretches unbroken from the site of key generation to the key loading/usage site. And it’s possible that “secure” is being used incorrectly, and the channel is encrypted but not authenticated. In that case, having a strong password does help for at least a portion of the transmission.
-Tim
From: Wayne Thayer [mailto:
wth...@mozilla.com]
Sent: Monday, April 30, 2018 2:25 PM
To: Tim Hollebeek <
tim.ho...@digicert.com>
Cc: Doug Beattie <
doug.b...@globalsign.com>; Buschart, Rufus <
rufus.b...@siemens.com>; mozilla-dev-security-policy <
mozilla-dev-s...@lists.mozilla.org>; Wichmann, Markus Peter <
markus....@siemens.com>; Enrico Entschew <
enr...@entschew.com>; Grotz, Florian <
floria...@siemens.com>; Heusler, Juergen <
juergen...@siemens.com>
Subject: Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy
The current policy seems inconsistent on the trust placed in passwords to protect PKCS#12 files. On one hand, it forbids transmission via insecure electronic channels regardless of password protection. But it goes on to permit transmission of PKCS#12 files on a storage device as long as a "sufficiently strong" password is delivered via a different means. If we trust PKCS#12 encryption with a strong password (it's not clear that we should [1]), then the policy could be:
PKCS#12 files SHALL have a password containing at least 64 bits of output from a CSPRNG, and the password SHALL be transferred using a different channel than the PKCS#12 file.
This eliminates the need for separate rules pertaining to physical storage devices.
Is there a good reason to allow transmission of PKCS#12 files with weak/no passwords over "secure" channels?
[1]
http://unmitigatedrisk.com/?p=543
On Mon, Apr 30, 2018 at 10:46 AM, Tim Hollebeek <mailto:
tim.ho...@digicert.com> wrote:
Once again, CSPRNGs are not overkill. They are widely available in virtually every
programming language in existence these days. I have never understood why
there is so much pushback against something that often appears near the top of
many top ten lists about basic principles for secure coding.
Also, while I'm responding, and since it got copied into your proposal, 32 bits is
still way too small.
"irrecoverable physical damage" ? You want to go beyond tamper evident,
and even tamper responsive, and require self-destruction on tamper??
I personally think we probably want to get out of the area of writing
requirements about physical distribution. They're VERY hard to get right.
That is copied from the current policy, and while it's confusing I believe it just means 'tamper evident'.
-Tim
> -----Original Message-----
> From: dev-security-policy [mailto:
mailto:dev-security-policy-
> bounces+tim.hollebeek=mailto:
digice...@lists.mozilla.org] On Behalf Of Doug
> Beattie via dev-security-policy
> Sent: Monday, April 30, 2018 1:06 PM
> To: Buschart, Rufus <mailto:
rufus.b...@siemens.com>; mozilla-dev-security-
> policy <mailto:
mozilla-dev-s...@lists.mozilla.org>
> Cc: Wichmann, Markus Peter <mailto:
markus....@siemens.com>; Enrico
> Entschew <mailto:
enr...@entschew.com>; Grotz, Florian
> <mailto:
floria...@siemens.com>; Heusler, Juergen
> <mailto:
juergen...@siemens.com>; Wayne Thayer <mailto:
wth...@mozilla.com>
> Subject: RE: Policy 2.6 Proposal: Add prohibition on CA key generation to policy
>
>
> I agree we need to tighten up Wayne's initial proposal a little.
>
> -----
> Initial proposal (Wayne):
>
> CAs MUST NOT distribute or transfer certificates in PKCS#12 form through
> insecure electronic channels. The PKCS#12 file must have a sufficiently secure
> password, and the password must not be transferred together with the file. If a
> PKCS#12 file is distributed via a physical data storage device, then the storage
> must be packaged in a way that the opening of the package causes
> irrecoverable physical damage. (e.g. a security seal)
>
> > CAs MUST NOT distribute or transfer certificates in PKCS#12 form
> > through insecure electronic channels. The PKCS#12 file must have a
> > sufficiently secure password, and the password must not be transferred
> > mailto:
mailto:
rufus.b...@siemens.com
> >
http://www.twitter.com/siemens
> >
> >
http://www.siemens.com/ingenuityforlife
> >
> > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> > Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and
> > Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich,
> > Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered
> > offices: Berlin and Munich, Germany; Commercial registries: Berlin
> > Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: dev-security-policy
> > > [mailto:
mailto:dev-security-policy-bounces%2Brufus.buschart=siemens.com@lists
> > > .m
http://ozilla.org] Im Auftrag von Wayne Thayer via dev-security-policy
> > > Gesendet: Freitag, 27. April 2018 19:30
> > > An: Enrico Entschew
> > > Cc: mozilla-dev-security-policy
> > > Betreff: Re: Policy 2.6 Proposal: Add prohibition on CA key
> > > generation to policy
> > >
> > > On Fri, Apr 27, 2018 at 6:40 AM, Enrico Entschew via
> > > dev-security-policy <
> > mailto:
dev-secur...@lists.mozilla.org> wrote:
> > >
> > > > I suggest to make the requirement „* The PKCS#12 file must have a
> > > > sufficiently secure password, and the password must be transferred
> > > > via a separate channel than the PKCS#12 file.” binding for both
> > > > transfer methods and not be limited to physical data storage.
> > > > Otherwise I agree with this proposal.
> > > >
> > > > Enrico
> > > >
> > > > That seems like a good and reasonable change, resulting in the
> > > > following
> > > policy:
> > >
> > > CAs MUST NOT generate the key pairs for end-entity certificates that
> > > have EKU extension containing the KeyPurposeIds id-kp- serverAuth or
> > anyExtendedKeyUsage.
> > >
> > > CAs MUST NOT distribute or transfer certificates in PKCS#12 form
> > > through insecure electronic channels. The PKCS#12 file must have a
> > > sufficiently secure password, and the password must not be
> > > transferred together with the file. If a PKCS#12 file is distributed
> > > via a physical data storage device, then the storage must be
> > > packaged in a way that the opening of the package causes
> > > irrecoverable physical damage. (e.g. a security seal)
> > >