Hello, Section 5.1 of the Mozilla Root Store Policy (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) specifies the allowed set of key and signature algorithms for roots and certificates that chain to roots in the Mozilla Root Store. Specifically, the following hash algorithms and ECDSA hash/curve pairs are allowed:
• Digest algorithms: SHA-1 (see below), SHA-256, SHA-384, or SHA-512. • P‐256 with SHA-256 • P‐384 with SHA-384 Given this, if an End-Entity certificate were signed using a subordinate CA’s P-384 key with ecdsa-with-SHA512 as the signature algorithm (which would be reflected in the End-Entity certificate's signatureAlgorithm field), would this violate Mozilla policy? As I understand it, an ECDSA signing operation with a P-384 key using SHA-512 would be equivalent to using SHA-384 (due to the truncation that occurs), so I am unsure if this would violate the specification above (although the signatureAlgorithm field value would be misleading). I believe the same situation exists if a P-256 key is used for a signing operation with SHA-384. Any insight into whether this is allowed or prohibited would be appreciated. Thanks, Corey _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy