Checking this again I see that I'm probably wrong about Webtrust... Looking at 4.1.3-b:
4.1.3 CA key generation generates keys that: a) use a key generation algorithm as disclosed within the CA’s CP and/or CPS; b) have a key length that is appropriate for the algorithm and for the validity period of the CA certificate as disclosed in the CA’s CP and/or CPS. The public key length to be certified by a CA is less than or equal to that of the CA’s private signing key; and c) take into account requirements on parent and subordinate CA key sizes and have a key size in accordance with the CA’s CP and/or CPS. So this is about CA Keys... Although is a bit weird that there's such a requirement for intermediate and not for leaf certificates... El jueves, 10 de enero de 2019, 18:44:51 (UTC+3), Doug Beattie escribió: > Jason - where did you see this requirement? > > -----Original Message----- > From: dev-security-policy <[email protected]> On > Behalf Of Jason via dev-security-policy > Sent: Thursday, January 10, 2019 9:38 AM > To: [email protected] > Subject: Re: P-521 Certificates > > I would say that the problem here would be that a child certificate can't > use a higher cryptography level than the issuer, this is agains good > practices and, AFAIK, agains the Webtrust audit criteria. > Jason > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
