On 16/12/16 15:18, Gervase Markham wrote:
> Nevertheless, we should update our policy to also use this text, because
> our policy also covers email certificates. We discussed this at the All
> Hands recently and we did not think that there were any compelling
> reasons to provide exemptions to this requirement for particular classes
> of certificate (intermediate, CA-generated, particular crypto
> algorithms, etc.) We feel it is simplest and safest to require it
> everywhere.
Resolved using the following text:
- all new certificates must have a serial number greater than zero
(0) containing at least 64 bits of output from a CSPRNG.
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
