We want to update the permitted algorithms and key sizes list. After
discussion in this group, it seems like an explicit list (as opposed to
referencing the BRs, or a delta from the BRs) is preferred.

So, a replacement for Maintenance Policy section, bullet 6:

We consider the following algorithms and key sizes to be acceptable in
root certificates in our root program, and in any certificate which
chains up to them:

* RSA keys whose modulus size in bits is divisible by 8, and is at
  least 2048.
* ECDSA keys using one of the following curve-hash pairs:
  - P‐256 with SHA-256
  - P‐384 with SHA-384
* Digest algorithms: SHA-256, SHA-384, or SHA-512.


Note that the SHA-1 text, if approved, would also go in this section.

This is: https://github.com/mozilla/pkipolicy/issues/5

-------

This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to