Hi Ben, if a party is relying on a 7+ year old CA would they not want to consult / know the policies and practices that were in place at the time the CAs keys were generated or during the first years of its lifetime?
Thanks - Arvid
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com.
Hi Ben, if a party is relying on a 7+ year old CA would they not want to consult / know the policies and practices that were in place at the time the CAs keys were generated or during the first years of its lifetime?
I don’t see the point of keeping the old CPS docs after the 7-year requirement as everything after the 7-year archive period is purged. No one should be operating under the old CPS docs at that time. Can you imagine if we were protecting root keys the same way we did 30 years ago? Or doing the validation the same way.
The only relevant section in old CPS docs that I’m aware of is key generation. Key generation is a rather short section in CPS docs without a lot of detail. The detail is in the key ceremony docs. If you want to enforce records on key ceremonies, require retention of those rather than the CPS docs.
Here are some sample key generation sections from CPS docs:
CA key pairs are generated by trusted roles and using a cryptographic hardware device. Typically, the cryptographic hardware is evaluated to FIPS 140‐1 Level 3 and EAL 4+. Community requirements may specify a lower version of control. DigiCert creates auditable evidence during the key generation process to prove that the CP/CPS was followed and role separation was enforced during the key generation process
For Root CA Key Pairs created under this CPS Sectigo: • prepares and follows a Key Generation Script, • has a Qualified Auditor witness the Root CA Key Pair generation process or records a video of the entire Root CA Key Pair generation process, and • has a Qualified Auditor issue a report opining that the CA followed its key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair.
The CAs will perform the following when generating a CA Key Pair: (i) Prepare and follow a Key Pair generation script; (ii) Have a qualified auditor witness the CA Key Pair generation process; (iii) Have a qualified auditor issue a report opining that the CA followed its CA Key Pair generation ceremony during its key generation process and the controls to ensure the integrity and confidentiality of the CA Key Pair; (iv) Generate the CA Key Pair in a physically secured environment; (v) Generate the CA Key Pair using personnel in Trusted Roles under the principles of multiple person control and split knowledge; (vi) Generate the CA Key Pair within cryptographic modules meeting the applicable requirements of §6.2.11; (vii) Log its CA Key Pair generation activities; and (viii) Maintain effective controls to provide reasonable assurance that the Private Key was generated and protected in conformance with the procedures described in this CPS and (if applicable) its CA Key Pair generation script.
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
On Behalf Of Pedro Fuentes
Sent: Monday, March 28, 2022 2:46 AM
To: dev-secur...@mozilla.org
Cc: bwi...@mozilla.com <bwi...@mozilla.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Pedro Fuentes <pfuen...@gmail.com>
Subject: Re: Policy 2.8: MRSP Issue #185: Require publication of outdated CA policy documents
Yes... That's how I see it... As long as there's any active Root or Intermediate that is affected by a version of the CP/CPS, it should be published
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f6395677-26f6-4534-b348-f7df24619f5dn%40mozilla.org.
I don’t see the point of keeping the old CPS docs after the 7-year requirement as everything after the 7-year archive period is purged. No one should be operating under the old CPS docs at that time. Can you imagine if we were protecting root keys the same way we did 30 years ago? Or doing the validation the same way.
The only relevant section in old CPS docs that I’m aware of is key generation. Key generation is a rather short section in CPS docs without a lot of detail. The detail is in the key ceremony docs. If you want to enforce records on key ceremonies, require retention of those rather than the CPS docs.