RE: xmlsec / ECDSA problem

2017-02-17 Thread Jeremy Rowley 
It's still permitted in the policy. 

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/#inclusion

Section 8.

-Original Message-
From: dev-tech-crypto
[mailto:dev-tech-crypto-bounces+jeremy.rowley=digicert@lists.mozilla.org
] On Behalf Of Martin Thomson
Sent: Wednesday, February 15, 2017 5:06 PM
To: mozilla's crypto code discussion list

Cc: mozilla-dev-tech-crypto 
Subject: Re: xmlsec / ECDSA problem

On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham  wrote:
> Did things break when we disabled it?

A few things.  It lasted less than a day in Nightly before we got multiple
bug reports.

> Do we know why Chrome decided not to support it? Two NIST curves is
enough?

That's my understanding.  P-521 isn't busted, it's just a little inefficient
and not enough stronger than P-384 (or X448) that it is worth keeping around
when faced with a working quantum computer.  That and the fact that more
options is more code to carry, more options to signal, and so forth.  I
think that's the reasoning.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Curves

2016-09-30 Thread Jeremy Rowley 
I'd like to start using EdDSA curves for customers (and push for HSM
support). This would be much easier if there weren't so many policies (that
pre-date development of the curves) preventing actual use of the tech. Any
thoughts on when/if the policy will change? 

 

Jeremy



smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: New wiki page on certificate revocation plans

2014-07-31 Thread Jeremy Rowley 
This is great.  Thanks Richard!  

For OneCRL and the EE certs, establishing parameters around when an EE is 
eligible for inclusion would give guidance to CAs about when to report 
revocations.  Is the OneCRL intended for when the cert is compromised because 
of a breach of the CA?  Or can high profile domains with stolen keys request 
inclusion?

Jeremy 

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
 On Behalf Of Richard Barnes
Sent: Thursday, July 31, 2014 8:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; 
mozilla-dev-tech-cry...@lists.mozilla.org
Subject: New wiki page on certificate revocation plans

Hi all,

We in the Mozilla PKI team have been discussing ways to improve revocation 
checking in our PKI stack, consolidating a bunch of ideas from earlier work 
[1][2] and some maybe-new-ish ideas.  I've just pressed save on a new wiki 
page with our initial plan:

https://wiki.mozilla.org/CA:RevocationPlan

It would be really helpful if people could review and provide feedback on this 
plan.

There's one major open issue highlighted in the wiki page.  We're planning to 
adopt a centralized revocation list model for CA certificates, which we're 
calling OneCRL.  (Conceptually similar to Chrome's CRLsets.)  In addition to 
covering CA certifcates, we're also considering covering some end-entity (EE) 
certificates with OneCRL too.  But there are some drawbacks to this approach, 
so it's not certain that we will include this in the final plan.  Feedback on 
this point would be especially valuable.

Thanks a lot,
--Richard

[1] https://wiki.mozilla.org/CA:ImprovingRevocation
[2] https://www.imperialviolet.org/2012/02/05/crlsets.html
___
dev-security-policy mailing list
dev-security-pol...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto