Confirmed users, Administrators
5,526
edits
CA/Forbidden or Problematic Practices: Difference between revisions
Jump to navigation
Jump to search
CA/Forbidden or Problematic Practices (view source)
Revision as of 23:10, 25 October 2018
, 25 October 2018updated referenced section numbers and quotes, made more clear
m (updated referenced section numbers) |
(updated referenced section numbers and quotes, made more clear) |
||
| Line 19: | Line 19: | ||
=== Distributing Generated Private Keys in PKCS#12 Files === | === Distributing Generated Private Keys in PKCS#12 Files === | ||
Section 5.2 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#52-forbidden-and-required-practices Mozilla's Root Store Policy] states: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage." | |||
CAs | |||
CAs must never generate the key pairs for signer or SSL certificates. CAs may only generate the key pairs for S/MIME certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then: | |||
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal) | * The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (e.g. a security seal) | ||
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage. | * The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage. | ||