CA/Forbidden or Problematic Practices: Difference between revisions

m
Line 56: Line 56:
* The distribution channels used (e.g. unencrypted email) may not be adequately secured.
* The distribution channels used (e.g. unencrypted email) may not be adequately secured.


Note: CAs must never generate the key pairs for for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then
CAs must never generate the key pairs for for signer or SSL certificates. CAs may only generate the key pairs for SMIME encryption certificates. Distribution or transfer of certificates in PKCS#12 form through unsecure electronic channels is not allowed. If a PKCS#12 file is distributed via a physical data storage device, then
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (security seal, ...)
* The storage must be packaged in a way that the opening of the package causes irrecoverable physical damage. (security seal, ...)
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
* The PKCS#12 file must have a sufficiently secure password, and the password must not be transferred together with the storage.
Confirmed users, Administrators
5,526

edits