On Fri, Nov 8, 2019 at 12:06 PM Ryan Sleevi <r...@sleevi.com> wrote:

> On Fri, Nov 8, 2019 at 1:54 PM Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>> A few more questions have come up about this change:
>> * Since mozilla::pkix doesn't currently support the RSA-PSS encodings, why
>> would we include them in our policy?
> They were included for completeness sake, as neither Mozilla Policy nor
> the BRs presently forbid them.
> I'm much in favor of not permitting them, but since the current
> restriction on RSA keys does not restrict the signature algorithms used, we
> wanted to make sure the combinations were suitable.

I understand the point that including the RSA-PSS encodings does not change
the literal meaning of the current policy, but it does imply that Mozilla
supports these encodings when in fact NSS does not. We could resolve this
by removing the RSA-PSS encodings or by adding a note stating that Firefox
doesn't currently support them. I prefer adding the note, since Firefox
could add support [1] for RSA-PSS much more quickly that this policy is
typically updated. I propose the following:

Note: as of version 70, RSASSA-PSS encodings are not supported by Firefox.
(with a link to [1])

- Wayne

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1088140
dev-security-policy mailing list

Reply via email to