The next two topics to discuss [1] have to do with section 8 of
Mozilla’s CA Certificate Maintenance Policy.
The proposals are:
- (D15) Deprecate SHA-1 Hash Algorithms in certs.
and
- (D4) In item #8 of the Maintenance Policy recommend that CAs avoid
SHA-512 and P-521, especially in their CA certificates. This is to
ensure interoperability, as SHA-512 and (especially) P-521 are less
well-supported than the other algorithms. (Note: On the page you linked
to, P-521 is incorrectly spelled "P-512".)
-- Not sure if we should make this change...
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to
remove support for certs signed using SHA-512-based signatures, but it
was closed as invalid, and SHA-512 support was fixed via
https://bugzilla.mozilla.org/show_bug.cgi?id=1155932
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to
remove support for certs that use the P-521 curve. But this is still up
for discussion.
So, do we really want to add a comment to Mozilla's policy about limited
support for SHA-512 and P-521?
Here's what Mozilla's policy currently says:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- SHA-1 (until a practical collision attack against SHA-1 certificates
is imminent);
- SHA-256, SHA-384, SHA-512;
- Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
SECG and NIST named curves P-256, P-384, and P-512;
- RSA 2048 bits or higher; and
- RSA 1024 bits (only until December 31, 2013).
~~
I recommend that we change it to the following:
~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- SHA-256, SHA-384, SHA-512;
- Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
SECG and NIST named curves P-256, P-384, and P-521; and
- RSA 2048 bits or higher.
~~
Another option is to delete this section from Mozilla's policy, because
it is covered by the Baseline Requirements. However, the Baseline
Requirements allows for DSA, which Mozilla does not support.
The “Key Sizes” section of the Baseline Requirements allows for:
SHA‐256, SHA‐384 or SHA‐512
NIST P‐256, P‐384, or P‐521
DSA L= 2048, N= 224 or L= 2048, N= 256
As always, I will appreciate your thoughtful and constructive input into
this discussion.
Kathleen
[1]
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
