Kathleen Wilson <kwil...@mozilla.com> wrote: > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to > remove support for certs signed using SHA-512-based signatures, but it was > closed as invalid, and SHA-512 support was fixed via > https://bugzilla.mozilla.org/show_bug.cgi?id=1155932
A P-256 signature cannot hold an entire SHA-384 or SHA-512 hash; the hash will get truncated to 256 bits. Similarly, a P-384 signature cannot hold a SHA-512 hash. While it isn't completely wrong to use a too-big hash, it is kind of silly to do so. > Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to > remove support for certs that use the P-521 curve. But this is still up > for discussion. The issue with P-521 is simply one of compatibility with the broadest set of products. Products basically *have* to support P-256 and P-384 because that is what CAs are already using. But, lots of products can (and, it seems, are planning to, or already are) omitting support for P-521. Thus, even though Mozilla's products support P-521, it is worth steering towards the more-compatible algorithms. Also, is NSS's P-521 implementation actually production-quality? Has it received proper QA. Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=650338 https://bugzilla.mozilla.org/show_bug.cgi?id=536389 https://bugzilla.mozilla.org/show_bug.cgi?id=325495 https://bugzilla.mozilla.org/show_bug.cgi?id=319252 I've forgotten exactly why now, but I remember thinking that I didn't feel good about the P-521 implementation. And, IMO, it isn't worth spending time working on P-521 considering the amount of work that is pending for Curve25519, P-256, P-384, and Ed448. I recommend that we change it to the following: > ~~ > 8. We consider the following algorithms and key sizes to be acceptable and > supported in Mozilla products: > - SHA-256, SHA-384, SHA-512; > - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over SECG > and NIST named curves P-256, P-384, and P-521; and > - RSA 2048 bits or higher. > ~~ > I suggest: ~~ 8. We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: - ECDSA using the P-256 curve and SHA-256. - ECDSA using the P-384 curve and SHA-384. - RSA using a 2048-bit or larger modulus, using SHA-256, SHA-384, or SHA-512. ~~ > Another option is to delete this section from Mozilla's policy, because it > is covered by the Baseline Requirements. However, the Baseline Requirements > allows for DSA, which Mozilla does not support. > The “Key Sizes” section of the Baseline Requirements allows for: > SHA‐256, SHA‐384 or SHA‐512 > NIST P‐256, P‐384, or P‐521 > DSA L= 2048, N= 224 or L= 2048, N= 256 > I suggest that Mozilla use the text I suggest above, and also propose it to CABForum as the new CABForum language. Then, if/when CABForum adopts it, replace the Mozilla policy text with a reference to the CABForum text in a future version. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
