I'm all for modern crypto, but to be honest, these are a little far away. The OIDs for Ed25519 aren't final yet, and I'm not aware of any work on putting SHA-3 in X.509 yet.
I think the right approach here is to delegate this to the BRs. --Richard On Thursday, November 5, 2015 at 3:03:05 PM UTC-5, [email protected] wrote: > I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP. > The later one is not that far away [1]. > Maybe it's the right time to consider them? > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105 > > > Am 05.11.2015 um 19:46 schrieb Kathleen Wilson: > > The next two topics to discuss [1] have to do with section 8 of > > Mozilla’s CA Certificate Maintenance Policy. > > > > The proposals are: > > - (D15) Deprecate SHA-1 Hash Algorithms in certs. > > and > > - (D4) In item #8 of the Maintenance Policy recommend that CAs avoid > > SHA-512 and P-521, especially in their CA certificates. This is to > > ensure interoperability, as SHA-512 and (especially) P-521 are less > > well-supported than the other algorithms. (Note: On the page you > > linked to, P-521 is incorrectly spelled "P-512".) > > -- Not sure if we should make this change... > > > > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to > > remove support for certs signed using SHA-512-based signatures, but it > > was closed as invalid, and SHA-512 support was fixed via > > https://bugzilla.mozilla.org/show_bug.cgi?id=1155932 > > > > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to > > remove support for certs that use the P-521 curve. But this is still > > up for discussion. > > > > So, do we really want to add a comment to Mozilla's policy about > > limited support for SHA-512 and P-521? > > > > Here's what Mozilla's policy currently says: > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ > > > > ~~ > > 8. We consider the following algorithms and key sizes to be acceptable > > and supported in Mozilla products: > > - SHA-1 (until a practical collision attack against SHA-1 certificates > > is imminent); > > - SHA-256, SHA-384, SHA-512; > > - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over > > SECG and NIST named curves P-256, P-384, and P-512; > > - RSA 2048 bits or higher; and > > - RSA 1024 bits (only until December 31, 2013). > > ~~ > > > > I recommend that we change it to the following: > > ~~ > > 8. We consider the following algorithms and key sizes to be acceptable > > and supported in Mozilla products: > > - SHA-256, SHA-384, SHA-512; > > - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over > > SECG and NIST named curves P-256, P-384, and P-521; and > > - RSA 2048 bits or higher. > > ~~ > > > > Another option is to delete this section from Mozilla's policy, > > because it is covered by the Baseline Requirements. However, the > > Baseline Requirements allows for DSA, which Mozilla does not support. > > The “Key Sizes” section of the Baseline Requirements allows for: > > SHA‐256, SHA‐384 or SHA‐512 > > NIST P‐256, P‐384, or P‐521 > > DSA L= 2048, N= 224 or L= 2048, N= 256 > > > > > > As always, I will appreciate your thoughtful and constructive input > > into this discussion. > > > > Kathleen > > > > [1] > > https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
