Re: Synopsis of Proposed Changes to MRSP v. 2.7.1

Thanks, Ryan I'll work on incorporating your suggestions into the draft we're working on. Ben On Wed, Mar 10, 2021 at 9:10 AM Ryan Sleevi wrote: > > > On Mon, Mar 8, 2021 at 7:08 PM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> #139 resolved - Audits

Public Discussion re: Inclusion of the ANF Secure Server Root CA

All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the ANF Secure Server Root CA. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9). The ANF Secure Server Root CA is operated by ANF AC, a

RE: Clarification request: ECC subCAs under RSA Root

I know where this kind of requirement is coming from ... it's a common requirement in key management systems, but they generally operate in worlds that are completely different from the Web PKI. Even there, it often causes more problems than it solves. I've spent more of my life dealing with the

Re: Synopsis of Proposed Changes to MRSP v. 2.7.1

On Mon, Mar 8, 2021 at 7:08 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > #139 resolved - Audits are required even if no longer issuing, until CA > certificate is revoked, expired, or removed. > > See > >

Re: Clarification request: ECC subCAs under RSA Root

I agree with Corey that this is problematic, and wouldn't even call it a best practice/good practice. I appreciate the goal in the abstract - which is to say, don't do more work than necessary (e.g. having an RSA-4096 signed by RSA-2048 is wasting cycles *if* there's no other reason for it), but

Re: Clarification request: ECC subCAs under RSA Root

> My understanding is that neither the BRs or any Root Program require that > that subordinate CA key be weaker or equal in strength to the issuing CA's > key. > > Additionally, such a requirement would prohibit cross-signs where a "legacy" > root with a smaller key size would certify a new

RE: Clarification request: ECC subCAs under RSA Root

My understanding is that neither the BRs or any Root Program require that that subordinate CA key be weaker or equal in strength to the issuing CA's key. Additionally, such a requirement would prohibit cross-signs where a "legacy" root with a smaller key size would certify a new root CA with a

Clarification request: ECC subCAs under RSA Root

Hello all, I'd have an open question about the possibility (from a compliance standpoint) of having an ECC 256 subordinate under an RSA 2048 Root. If I look at the WebTrust criteria, I can see this: 4.1.3 CA key generation generates keys that: a) use a key generation algorithm as disclosed