A few more questions have come up about this change: * Since mozilla::pkix doesn't currently support the RSA-PSS encodings, why would we include them in our policy? * Related: would this detailed enumeration of requirements be better to place in the BRs than in Mozilla policy? * In that case it wouldn't cover S/MIME certs * We'd still need to exclude P-521 in Mozilla policy * It would end up in audit criteria and perhaps engineers implementing it would be more likely to be aware of it * Presumably the RSA-PSS encoding would be included in the BRs and would then potentially need to be excluded from Mozilla policy
As always, I'll appreciate everyone's input on these questions. - Wayne On Wed, Oct 2, 2019 at 5:59 PM Wayne Thayer <wtha...@mozilla.com> wrote: > Thank you Ryan. Brian reviewed these changes back in May, so I've gone > ahead and accepted them for the 2.7 policy update: > https://github.com/mozilla/pkipolicy/commit/5657ecf650d70fd3c6ca5062bee360fd83da9d27 > > I'll consider this issue resolved unless there are further comments. > > - Wayne > > On Fri, May 24, 2019 at 1:38 AM Ryan Sleevi <r...@sleevi.com> wrote: > >> >> >> On Wed, May 22, 2019 at 7:43 PM Brian Smith <br...@briansmith.org> wrote: >> >>> Ryan Sleevi <r...@sleevi.com> wrote: >>> >>>> >>>> >>>>> It would be easier to understand if this is true if the proposed text >>>>> cited the RFCs, like RFC 4055, that actually impose the requirements that >>>>> result in the given encodings. >>>>> >>>> >>>> Could you clarify, do you just mean adding references to each of the >>>> example encodings (such as the above example, for the SPKI encoding)? >>>> >>> >>> Exactly. That way, it is clear that the given encodings are not imposing >>> a new requirement, and it would be clear which standard is being used to >>> determine to correct encoding. >>> >> >> Thanks, did that in >> https://github.com/sleevi/pkipolicy/commit/80da8acded63618a058d26c73db1e2438a6df9ed >> >> >>> >>> I realize that determining the encoding from each of these cited specs >>> would require understanding more specifications, including in particular >>> how ASN.1 DER requires DEFAULT values to be encoded. I would advise against >>> calling out all of these details individually less people get confused by >>> inevitable omissions. >>> >> >> Hopefully struck the right balance. These changes are now reflected in >> the PR at https://github.com/mozilla/pkipolicy/pull/183 >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy