On 10/01/2019 15:38, Jason wrote:
I would say that the problem here would be that a child certificate can't use a higher cryptography level than the issuer, this is agains good practices and, AFAIK, agains the Webtrust audit criteria. Jason
Note that the only one of all these certificates that I checked closely was issued from a SubCA with an RSA key. Direct strength comparison etween RSA and EC keys is somewhat difficult and depends on predictions of future key breaking technology, so for some people, the CA key was stronger than that particular P-521 EC key. (Not that this is a requirement, see other replies). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy