On Fri, Apr 26, 2019 at 11:39 AM Wayne Thayer <wtha...@mozilla.com> wrote:
> On Wed, Apr 24, 2019 at 10:02 AM Ryan Sleevi <r...@sleevi.com> wrote: > >> Thank you David and Ryan! This appears to me to be a reasonable >> improvement to our policy. >> > > Brian: could I ask you to review the proposed change? > > >> This does not, however, address the last part of what Brian proposes - >> which is examining if, how many, and which CAs would fail to meet these >> encoding requirements today, either in their roots, subordinates, or leaf >> certificates. >> >> > While I agree that this would be useful information, for the purpose of > moving ahead with this policy change would it instead be reasonable to set > an effective date and require certificates issued (notBefore) after that > date to comply, putting the burden on CAs to verify their implementations > rather than relying on someone else to do that work? > My understanding here is that the proposed text is not imposing a new requirement, but more explicitly stating a requirement that is already imposed by the BRs. AFAICT BRs require syntactically valid X.509 certificates, RFC 5280 defines what's syntactically valid, RFC 5280 defers to other documents about what is allowed for each algorithm identifier, and this is an attempt to collect all those requirements into one spot for convenience. It would be easier to understand if this is true if the proposed text cited the RFCs, like RFC 4055, that actually impose the requirements that result in the given encodings. > > While this includes RSA-PSS, it's worth noting that mozilla::pkix does not >> support these certificates, and also worth noting that the current encoding >> scheme is substantially more verbose than desirable. >> > I agree the encoding is unfortunate. But, also, there's no real prospect of a shorter encoding being standardized and implemented in a realistic time frame. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
