Should we update the BRs to forbid P-521 given Mozilla root program forbids them?
-----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Jonathan Rudenberg via dev-security-policy Sent: Tuesday, January 8, 2019 1:31 PM To: [email protected] Subject: Re: P-521 Certificates On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote: > (Posting in a personal capacity as I am no longer employed by > Trustwave) > > Mozilla Root Store Policy section 5.1 > (https://www.mozilla.org/en-US/about/governance/policies/security-grou > p/certs/policy/) prohibits the use of P-521 keys in root certificates > included in the Mozilla trust store, as well as in any certificates > chaining to these roots. This prohibition was made very clear in the > discussion on this list in 2017 at > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC 8/fsKobHABAwAJ. > > Below is a list of unexpired, unrevoked certificates which contain > P-521 public keys (grouped by CA Owner and ordered by notBefore): I've created https://misissued.com/batch/43/ to track these. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
