On Thu, Mar 11, 2021 at 12:01 AM pfuen...--- via dev-security-policy
wrote:
>
> In summary, my understanding is that we can ignore that illustrative control
> of the Webtrust Criteria and that the community is cool with these
> subordinations of CAs with stronger keys (same or different
OK. Thanks for your answers.
In summary, my understanding is that we can ignore that illustrative control of
the Webtrust Criteria and that the community is cool with these subordinations
of CAs with stronger keys (same or different algorithm).
Best,
Pedro
an Sleevi via dev-security-policy
> Sent: Wednesday, March 10, 2021 11:00 AM
> To: pfuen...@gmail.com
> Cc: Mozilla
> Subject: Re: Clarification request: ECC subCAs under RSA Root
>
> I agree with Corey that this is problematic, and wouldn't even call it a
best
> practice/go
I agree with Corey that this is problematic, and wouldn't even call it a
best practice/good practice.
I appreciate the goal in the abstract - which is to say, don't do more work
than necessary (e.g. having an RSA-4096 signed by RSA-2048 is wasting
cycles *if* there's no other reason for it), but
> My understanding is that neither the BRs or any Root Program require that
> that subordinate CA key be weaker or equal in strength to the issuing CA's
> key.
>
> Additionally, such a requirement would prohibit cross-signs where a "legacy"
> root with a smaller key size would certify a new
ew root CA with a stronger key.
For that reason, this illustrative control seems problematic.
Thanks,
Corey
-Original Message-
From: dev-security-policy On
Behalf Of pfuen...--- via dev-security-policy
Sent: Wednesday, March 10, 2021 4:17 AM
To: Mozilla
Subject: Clarification request: ECC su
Hello all,
I'd have an open question about the possibility (from a compliance standpoint)
of having an ECC 256 subordinate under an RSA 2048 Root.
If I look at the WebTrust criteria, I can see this:
4.1.3 CA key generation generates keys that:
a) use a key generation algorithm as disclosed
7 matches
Mail list logo