A few more questions have come up about this change:
* Since mozilla::pkix doesn't currently support the RSA-PSS encodings, why
would we include them in our policy?
* Related: would this detailed enumeration of requirements be better to
place in the BRs than in Mozilla policy?
* In that case it wouldn't cover S/MIME certs
* We'd still need to exclude P-521 in Mozilla policy
* It would end up in audit criteria and perhaps engineers implementing
it would be more likely to be aware of it
* Presumably the RSA-PSS encoding would be included in the BRs and
would then potentially need to be excluded from Mozilla policy
As always, I'll appreciate everyone's input on these questions.
- Wayne
On Wed, Oct 2, 2019 at 5:59 PM Wayne Thayer <wtha...@mozilla.com> wrote:
> Thank you Ryan. Brian reviewed these changes back in May, so I've gone
> ahead and accepted them for the 2.7 policy update:
> https://github.com/mozilla/pkipolicy/commit/5657ecf650d70fd3c6ca5062bee360fd83da9d27
>
> I'll consider this issue resolved unless there are further comments.
>
> - Wayne
>
> On Fri, May 24, 2019 at 1:38 AM Ryan Sleevi <r...@sleevi.com> wrote:
>
>>
>>
>> On Wed, May 22, 2019 at 7:43 PM Brian Smith <br...@briansmith.org> wrote:
>>
>>> Ryan Sleevi <r...@sleevi.com> wrote:
>>>
>>>>
>>>>
>>>>> It would be easier to understand if this is true if the proposed text
>>>>> cited the RFCs, like RFC 4055, that actually impose the requirements that
>>>>> result in the given encodings.
>>>>>
>>>>
>>>> Could you clarify, do you just mean adding references to each of the
>>>> example encodings (such as the above example, for the SPKI encoding)?
>>>>
>>>
>>> Exactly. That way, it is clear that the given encodings are not imposing
>>> a new requirement, and it would be clear which standard is being used to
>>> determine to correct encoding.
>>>
>>
>> Thanks, did that in
>> https://github.com/sleevi/pkipolicy/commit/80da8acded63618a058d26c73db1e2438a6df9ed
>>
>>
>>>
>>> I realize that determining the encoding from each of these cited specs
>>> would require understanding more specifications, including in particular
>>> how ASN.1 DER requires DEFAULT values to be encoded. I would advise against
>>> calling out all of these details individually less people get confused by
>>> inevitable omissions.
>>>
>>
>> Hopefully struck the right balance. These changes are now reflected in
>> the PR at https://github.com/mozilla/pkipolicy/pull/183
>>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
