On 11/5/2015 10:46 AM, Kathleen Wilson wrote: > The next two topics to discuss [1] have to do with section 8 of > Mozilla’s CA Certificate Maintenance Policy. > > The proposals are: > - (D15) Deprecate SHA-1 Hash Algorithms in certs. > and > - (D4) In item #8 of the Maintenance Policy recommend that CAs avoid > SHA-512 and P-521, especially in their CA certificates. This is to > ensure interoperability, as SHA-512 and (especially) P-521 are less > well-supported than the other algorithms. (Note: On the page you linked > to, P-521 is incorrectly spelled "P-512".) > -- Not sure if we should make this change... > > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to > remove support for certs signed using SHA-512-based signatures, but it > was closed as invalid, and SHA-512 support was fixed via > https://bugzilla.mozilla.org/show_bug.cgi?id=1155932 > > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to > remove support for certs that use the P-521 curve. But this is still up > for discussion. > > So, do we really want to add a comment to Mozilla's policy about limited > support for SHA-512 and P-521? > > Here's what Mozilla's policy currently says: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ > ~~ > 8. We consider the following algorithms and key sizes to be acceptable > and supported in Mozilla products: > - SHA-1 (until a practical collision attack against SHA-1 certificates > is imminent); > - SHA-256, SHA-384, SHA-512; > - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over > SECG and NIST named curves P-256, P-384, and P-512; > - RSA 2048 bits or higher; and > - RSA 1024 bits (only until December 31, 2013). > ~~ > > I recommend that we change it to the following: > ~~ > 8. We consider the following algorithms and key sizes to be acceptable > and supported in Mozilla products: > - SHA-256, SHA-384, SHA-512; > - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over > SECG and NIST named curves P-256, P-384, and P-521; and > - RSA 2048 bits or higher. > ~~ > > Another option is to delete this section from Mozilla's policy, because > it is covered by the Baseline Requirements. However, the Baseline > Requirements allows for DSA, which Mozilla does not support. > The “Key Sizes” section of the Baseline Requirements allows for: > SHA‐256, SHA‐384 or SHA‐512 > NIST P‐256, P‐384, or P‐521 > DSA L= 2048, N= 224 or L= 2048, N= 256 > > > As always, I will appreciate your thoughtful and constructive input into > this discussion. > > Kathleen > > [1] > https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed >
Rather than list acceptable key types and sizes, cite the Baseline Requirements along with listing exceptions, both types and sizes that are not supported but are in the BR and types and sizes that are supported but are not in the BR. I would not be surprised if the latter would be an empty list. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
