Thanks, Ryan
I'll work on incorporating your suggestions into the draft we're working on.
Ben
On Wed, Mar 10, 2021 at 9:10 AM Ryan Sleevi wrote:
>
>
> On Mon, Mar 8, 2021 at 7:08 PM Ben Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> #139 resolved - Audits
All,
This is to announce the beginning of the public discussion phase of the
Mozilla root CA inclusion process for the ANF Secure Server Root CA. See
https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4
through 9).
The ANF Secure Server Root CA is operated by ANF AC, a
I know where this kind of requirement is coming from ... it's a common
requirement in key management systems, but they generally operate in worlds
that are completely different from the Web PKI. Even there, it often causes
more problems than it solves. I've spent more of my life dealing with the
On Mon, Mar 8, 2021 at 7:08 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> #139 resolved - Audits are required even if no longer issuing, until CA
> certificate is revoked, expired, or removed.
>
> See
>
>
I agree with Corey that this is problematic, and wouldn't even call it a
best practice/good practice.
I appreciate the goal in the abstract - which is to say, don't do more work
than necessary (e.g. having an RSA-4096 signed by RSA-2048 is wasting
cycles *if* there's no other reason for it), but
> My understanding is that neither the BRs or any Root Program require that
> that subordinate CA key be weaker or equal in strength to the issuing CA's
> key.
>
> Additionally, such a requirement would prohibit cross-signs where a "legacy"
> root with a smaller key size would certify a new
My understanding is that neither the BRs or any Root Program require that that
subordinate CA key be weaker or equal in strength to the issuing CA's key.
Additionally, such a requirement would prohibit cross-signs where a "legacy"
root with a smaller key size would certify a new root CA with a
Hello all,
I'd have an open question about the possibility (from a compliance standpoint)
of having an ECC 256 subordinate under an RSA 2048 Root.
If I look at the WebTrust criteria, I can see this:
4.1.3 CA key generation generates keys that:
a) use a key generation algorithm as disclosed
8 matches
Mail list logo