A discussion inspired by https://github.com/mozilla/pkipolicy/issues/5
Should Mozilla's root store policy contain any list of approved and/or disapproved algorithms/key sizes, or not? Possible positions include at least: 0) No; what algorithms and/or key sizes are supported by Firefox and/or NSS is a decision for the hackers on those projects. There's no need for a separate policy about it. 1) No; the Baseline Requirements, section 6.1.5, specify a set of algorithms and key sizes: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf . If Mozilla's list is the same, there is no point; if it's different, you just end up with the intersection. 2) Yes; we should have a list of banned algorithms and/or key sizes which are weak and therefore dangerous for the web PKI, so we can use the power of the policy to force them out of the system. But if an algorithm or key size is not actively dangerous, anything else should be permitted. 3) Yes; there are advantages such as interoperability (what else?) to Mozilla using the power of the policy to define what algorithms and/or key sizes are acceptable in the Web PKI; as long as we keep the list under review, this is a good thing. Thoughts? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
