On 16/12/16 15:18, Gervase Markham wrote: > Nevertheless, we should update our policy to also use this text, because > our policy also covers email certificates. We discussed this at the All > Hands recently and we did not think that there were any compelling > reasons to provide exemptions to this requirement for particular classes > of certificate (intermediate, CA-generated, particular crypto > algorithms, etc.) We feel it is simplest and safest to require it > everywhere.
Resolved using the following text: - all new certificates must have a serial number greater than zero (0) containing at least 64 bits of output from a CSPRNG. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy