We want to update the permitted algorithms and key sizes list. After discussion in this group, it seems like an explicit list (as opposed to referencing the BRs, or a delta from the BRs) is preferred.
So, a replacement for Maintenance Policy section, bullet 6: We consider the following algorithms and key sizes to be acceptable in root certificates in our root program, and in any certificate which chains up to them: * RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. * ECDSA keys using one of the following curve-hash pairs: - P‐256 with SHA-256 - P‐384 with SHA-384 * Digest algorithms: SHA-256, SHA-384, or SHA-512. Note that the SHA-1 text, if approved, would also go in this section. This is: https://github.com/mozilla/pkipolicy/issues/5 ------- This is a proposed update to Mozilla's root store policy for version 2.4. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.3 (current version): https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

