On Fri, Nov 8, 2019 at 12:06 PM Ryan Sleevi <r...@sleevi.com> wrote: > > On Fri, Nov 8, 2019 at 1:54 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> A few more questions have come up about this change: >> >> * Since mozilla::pkix doesn't currently support the RSA-PSS encodings, why >> would we include them in our policy? >> > > They were included for completeness sake, as neither Mozilla Policy nor > the BRs presently forbid them. > > I'm much in favor of not permitting them, but since the current > restriction on RSA keys does not restrict the signature algorithms used, we > wanted to make sure the combinations were suitable. > >
I understand the point that including the RSA-PSS encodings does not change the literal meaning of the current policy, but it does imply that Mozilla supports these encodings when in fact NSS does not. We could resolve this by removing the RSA-PSS encodings or by adding a note stating that Firefox doesn't currently support them. I prefer adding the note, since Firefox could add support [1] for RSA-PSS much more quickly that this policy is typically updated. I propose the following: Note: as of version 70, RSASSA-PSS encodings are not supported by Firefox. (with a link to [1]) - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1088140 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
