OK. Thanks for your answers.
In summary, my understanding is that we can ignore that illustrative control of
the Webtrust Criteria and that the community is cool with these subordinations
of CAs with stronger keys (same or different algorithm).
Best,
Pedro
> My understanding is that neither the BRs or any Root Program require that
> that subordinate CA key be weaker or equal in strength to the issuing CA's
> key.
>
> Additionally, such a requirement would prohibit cross-signs where a "legacy"
> root with a smaller key size would certify a new
Hello all,
I'd have an open question about the possibility (from a compliance standpoint)
of having an ECC 256 subordinate under an RSA 2048 Root.
If I look at the WebTrust criteria, I can see this:
4.1.3 CA key generation generates keys that:
a) use a key generation algorithm as disclosed
In my personal opinion, given that most of the actions for the remediation plan
are expected to be completed during the first quarter of 2021, if the community
considers that the plan adequately prevents further issues, it would be
reasonable to establish a deadline to take such a decision
Hello,
as we are in the "list of shame" and as a way to ensure we are following these
discussions, I'd like to say that the OISTE CA that is referenced here (it's an
old intermediate CA expiring in December 2020, and its CRL contains some
unspecified revocations for Issuing CAs from 2015 and
5 matches
Mail list logo
