On Fri, Jan 27, 2017 at 3:47 AM, Gervase Markham <[email protected]> wrote: > > * RSA keys with a minimum modulus size of 2048 bits >
Nits and niggles: Perhaps 2048, 3072, 4096? - 8K RSA keys cause Web PKI interop problems - RSA keys that aren't modulo 8 create interop problems > 2) Brian has also suggested we mandate a matching of ECDSA curves with > digest algorithms. Do we want to do that? > Yes, ideally. Jakob's reply confused the issue, but it's not ideal to see P-521 with SHA-256, for example. > 3) Do we want to add Ed25519? > No. This was discussed at the CA/Browser Forum meeting in Seattle. Although you have RFC 8032, you're still missing the appropriate assignments relative to PKIX (which a separate draft was working on). You also have the issue that the BRs currently require that the CA's private key be stored in an appropriately protected HSM, but the specifications for the HSMs (FIPS 140-2 level 3 or CC EAL equivalent) don't allow the use of Ed25519. > 4) Do we want to do the spec using AlgorithmIdentifiers instead of free > text? Aren't AlgorithmIdentifiers used for something a bit different? > There's the AlgorithmIdentifier of the key, and the AlgorithmIdentifier of the signature produced with that key. For the key, you can allow something like P-256, but for the signature, you want to restrict it to P-256 with SHA-256. This is similar to identifying the key as rsaEncryption, but the signature as sha1withRSAEncryption. Which aspect were you thinking of? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
