There are two proposals on the table...
Proposal A:
~~
8. We consider the algorithms and key sizes specified in section 6.1.5
of version 1.3 or later of the CA/Browser Forum Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates to be
acceptable and supported in Mozilla products; with the following exceptions.
- Mozilla does not and will not support DSA keys
- Mozilla does not currently support ECC curve P-521
~~
Proposal B:
~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- ECDSA using the P-256 curve and SHA-256.
- ECDSA using the P-384 curve and SHA-384.
- RSA using a 2048-bit or larger modulus, using SHA-256, SHA-384, or
SHA-512.
~~
I believe that both proposals say basically the same thing.
Proposal A might not a good idea if the BRs are ever updated to add key
sizes or algorithms that Mozilla does not actually support. But updating
the BRs does require a vote in the CA/Browser Forum, so I think it's
safe to assume that Mozilla would be involved in any such changes.
I think Proposal A is easier to maintain.
I think Proposal B is easier to read and understand.
Proposal B will have to be updated every time something changes.
So, at this point I vote for Proposal A.
What do you all think?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
