On Thu, Nov 14, 2019 at 3:24 PM Wayne Thayer <wtha...@mozilla.com> wrote:
> On Fri, Nov 8, 2019 at 12:06 PM Ryan Sleevi <r...@sleevi.com> wrote: > >> >> On Fri, Nov 8, 2019 at 1:54 PM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> A few more questions have come up about this change: >>> >>> * Since mozilla::pkix doesn't currently support the RSA-PSS encodings, >>> why >>> would we include them in our policy? >>> >> >> They were included for completeness sake, as neither Mozilla Policy nor >> the BRs presently forbid them. >> >> I'm much in favor of not permitting them, but since the current >> restriction on RSA keys does not restrict the signature algorithms used, we >> wanted to make sure the combinations were suitable. >> >> > > I understand the point that including the RSA-PSS encodings does not > change the literal meaning of the current policy, but it does imply that > Mozilla supports these encodings when in fact NSS does not. We could > resolve this by removing the RSA-PSS encodings or by adding a note stating > that Firefox doesn't currently support them. I prefer adding the note, > since Firefox could add support [1] for RSA-PSS much more quickly that this > policy is typically updated. I propose the following: > > Note: as of version 70, RSASSA-PSS encodings are not supported by Firefox. > (with a link to [1]) > > I've gone ahead and made this change in the 2.7 branch of the policy: https://github.com/mozilla/pkipolicy/commit/320d3a47c655c5b49f6465d9446ceea85be96d4b - Wayne > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1088140 > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy