I agree. Bruce.
> On Jan 8, 2019, at 1:53 PM, Doug Beattie via Public <[email protected]> > wrote: > > Should we update the BRs to forbid P-521 given Mozilla root program forbids > them? > > -----Original Message----- > From: dev-security-policy <[email protected]> On > Behalf Of Jonathan Rudenberg via dev-security-policy > Sent: Tuesday, January 8, 2019 1:31 PM > To: [email protected] > Subject: Re: P-521 Certificates > >> On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote: >> (Posting in a personal capacity as I am no longer employed by >> Trustwave) >> >> Mozilla Root Store Policy section 5.1 >> (https://www.mozilla.org/en-US/about/governance/policies/security-grou >> p/certs/policy/) prohibits the use of P-521 keys in root certificates >> included in the Mozilla trust store, as well as in any certificates >> chaining to these roots. This prohibition was made very clear in the >> discussion on this list in 2017 at >> > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC > 8/fsKobHABAwAJ. >> >> Below is a list of unexpired, unrevoked certificates which contain >> P-521 public keys (grouped by CA Owner and ordered by notBefore): > > I've created https://misissued.com/batch/43/ to track these. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > WARNING: This email originated outside of Entrust Datacard. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
