On 24/01/17 16:26, Richard Barnes wrote:
My gut reaction is 0+1, maybe 2.
- The CAB Forum should specify the overall envelope of what is acceptable
in the Web PKI
- Firefox will enforce restrictions that are mores strict than the BRs
requirements
The BRs say that SHA-1 has been unacceptable in the Web PKI since Jan
1st 2017. Firefox did not enforce that deadline, but instead set a
later deadline. I'd call that *less* strict than the BRs. Wouldn't you?
EdDSA certificate signatures will be with us soon. Is it conceivable
that Mozilla might want to ship and enable EdDSA certificate signature
code before the BRs have been updated to declare that EdDSA is
acceptable in the Web PKI? If so, then that would also be *less* strict
than the BRs.
If we do (2), then this will just be a three level hierarchy, with BRs <
Mozilla Policy < Firefox.
On Tue, Jan 24, 2017 at 10:30 AM, Gervase Markham <[email protected]> wrote:
A discussion inspired by
https://github.com/mozilla/pkipolicy/issues/5
Should Mozilla's root store policy contain any list of approved and/or
disapproved algorithms/key sizes, or not? Possible positions include at
least:
0) No; what algorithms and/or key sizes are supported by Firefox and/or
NSS is a decision for the hackers on those projects. There's no need for
a separate policy about it.
1) No; the Baseline Requirements, section 6.1.5, specify a set of
algorithms and key sizes:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf .
If Mozilla's list is the same, there is no point; if it's different, you
just end up with the intersection.
2) Yes; we should have a list of banned algorithms and/or key sizes
which are weak and therefore dangerous for the web PKI, so we can use
the power of the policy to force them out of the system. But if an
algorithm or key size is not actively dangerous, anything else should be
permitted.
3) Yes; there are advantages such as interoperability (what else?) to
Mozilla using the power of the policy to define what algorithms and/or
key sizes are acceptable in the Web PKI; as long as we keep the list
under review, this is a good thing.
Thoughts?
Gerv
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
