On 27/01/2017 12:47, Gervase Markham wrote:
On 25/01/17 17:55, Ryan Sleevi wrote:
Yes, I think it results in a clearer communication that is otherwise
identical, and ensures that there is community consensus on policy changes
:)
Draft of new Maintenance Policy section, bullet 8:
We consider the following algorithms and key sizes to be acceptable in
root certificates in our root program, and in any certificate which
chains up to them:
* RSA keys with a minimum modulus size of 2048 bits
* ECDSA keys using one of the named curves: P‐256, P‐384, or P‐521
* Digest algorithms: SHA-256, SHA-384, or SHA-512
(This would then be a good place to put the final text of our SHA-1
policy, which is being hashed out in another thread and which permits
SHA-1 under certain specific non-server-auth circumstances.)
Open questions:
1) Do we support P-521? Our current policy says we do, although it's
mis-identified as P-512, but the previous discussion of this suggested
that we don't.
2) Brian has also suggested we mandate a matching of ECDSA curves with
digest algorithms. Do we want to do that?
DSA and ECDSA signatures are only secure if the hash algorithm is
specified in the certificate, presumably as part of the
AlgorithmIdentifier in the SubjectPublicKeyInfo. This is because
signatures made using DSA/ECDSA do not incorporate the identity/name of
the hash algorithm in the signature in a way which prevents a signature
on e.g. "SHA-256=0123456" from being accepted as a signature on e.g.
"MD2=0123456".
3) Do we want to add Ed25519?
4) Do we want to do the spec using AlgorithmIdentifiers instead of free
text? Aren't AlgorithmIdentifiers used for something a bit different?
AlgorithmIdentifiers are the precise OID-based way in which
certificates refer to signing algorithms (among others). Historically
there were multiple competing AlgorithmIdentifiers assigned to some of
the popular algorithms (such as RSA signing with SHA1).
Thus for interoperability, it is usueful to state which identifiers may
be used to refer to each of the permitted algorithm pairs (such as "RSA
PKCS#1 v1.5 signatures with SHA-256").
For some algorithms (including, again, RSA) there are usually two
different identifiers: One that refers to the public key type alone
("RSA") and one which referes to the full type of a signature ("RSA
PKCS#1 v1.5 with SHA-256"). This is typically done where there is no
security downside to using the same certificate and public key with
different hash algorithms, padding schemes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
