> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy > <[email protected]> wrote: > > For those which are not revoked are due to use different curves (P-384, > P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB > Forum and there´s no conclusion yet, but in any case we´re not allowing to > use them anymore. There´re curves allowed in the BRs that Mozilla does not > include. > > 2. Other un-revoked certificates have the same error ERROR: Unallowed key > usage for EC public key (Key Encipherment) > https://crt.sh/?opt=cablint&id=153404034 > https://crt.sh/?opt=cablint&id=160150786 > https://crt.sh/?opt=cablint&id=149445010 > https://crt.sh/?opt=cablint&id=150133570
Let’s break this down, as you have confused a few issues with this subset of the misissued certificates. Two certificates were issued with P-521 ECDSA keys, which is not allowed by Mozilla policy (note that P-384 keys are allowed): - https://crt.sh/?q=87304EBF0F9391B8FFF7C8ED8D567F0340BCBAA6741972C030364DE5618C6757 - https://crt.sh/?q=962C955ABC03FC00F514EA41B2838D85826CA7CAA419A85EC186F1646AD5C9B5 Thirteen certificates (including the two P-521 certificates) were issued with the keyEncipherment bit set in the keyUsage extension (this is the message you mentioned above) which is not allowed (RFC 3279 section 2.3.5, incorporated by reference by RFC 5280 section 4.2.1.3, incorporated by reference by Baseline Requirements section 7.1.2.4). One certificate linked above was issued without the key parameters field set, which is not allowed (RFC 3279 section 2.3.1, incorporated by reference by RFC 5280 section 4.1.2.7, incorporated by reference by Baseline Requirements section 7.1.2.4): - https://crt.sh/?opt=cablint&q=160150786 Hopefully this clarifies any misunderstandings around the problems with these specific certificates. Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
