Hi Gerv and Kathleen,
We're working on the Mozilla CA self-assessment checklist and referenced re=
quirements you have placed on CAs. On your page of Forbidden or Problemati=
c Practices , you state that CAs must not generate private keys for sign=
CAs must never generate the key pairs for signer or SSL certificates. CAs m=
ay only generate the key pairs for SMIME encryption certificates.
The Code signing standard , section 10.2.4 permits CAs to generate priva=
te keys for code signing certificates. Specifically:
If the CA or any Delegated Third Party is generating the Private Key on beh=
alf of the Subscriber where the Private Keys will be transported to the Sub=
scriber outside of the Signing Service's secure infrastructure, then the en=
tity generating the Private Key MUST either transport the Private Key in ha=
rdware with an activation method that is equivalent to 128 bits of encrypti=
on or encrypt the Private Key with at least 128 bits of encryption strength=
.. Allowed methods include using a 128-bit AES key to wrap the private key o=
r storing the key in a PKCS 12 file encrypted with a randomly generated pas=
sword of more than 16 characters containing uppercase letters, lowercase le=
tters, numbers, and symbols for transport.
The question is, if we issue Code Signing certificates via P12 files in com=
pliance with the Code Signing standard, are we out of compliance with the M=
ozilla policy? How do you recommend we respond to this checklist question?
And the same for S/MIME and SSL certificates. If CAs generate and then sec=
urely distribute the keys to the subscribers using similar methods, is that=
permitted provided we implement similar security, or does that practice ne=
ed to immediately stop? Your guidance in this area would be appreciated.
Side question: Is there a deadline when you expect to receive self-assessme=
nts from all CAs? We've found that complying with the checklist means a ma=
jor update to our CPS (among other things...), and I suspect most other CAs=
will also need a major update.
GMO GlobalSign, Inc.
Portsmouth, NH USA