Thanks for raising this, Wayne. As mentioned on the issue, this heavily overlaps with the RSA combinations - and, of course, Mozilla policy being more strict than the BRs in forbidding DSA.
Given that CAs have struggled with the relevant encodings, both for the signatureAlgorithm and the subjectPublicKeyInfo field, I’m curious if you’d be open to instead enumerating the allowed (canonical) encodings for both. This would address open Mozilla Problematic Practices as well - namely, the encoding of NULL parameters with respect to certain signature algorithms. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
