On Thu, Mar 11, 2021 at 12:01 AM pfuen...--- via dev-security-policy
wrote:
>
> In summary, my understanding is that we can ignore that illustrative control
> of the Webtrust Criteria and that the community is cool with these
> subordinations of CAs with stronger keys (same or different
OK. Thanks for your answers.
In summary, my understanding is that we can ignore that illustrative control of
the Webtrust Criteria and that the community is cool with these subordinations
of CAs with stronger keys (same or different algorithm).
Best,
Pedro
an Sleevi via dev-security-policy
> Sent: Wednesday, March 10, 2021 11:00 AM
> To: pfuen...@gmail.com
> Cc: Mozilla
> Subject: Re: Clarification request: ECC subCAs under RSA Root
>
> I agree with Corey that this is problematic, and wouldn't even call it a
best
> practice/go
I agree with Corey that this is problematic, and wouldn't even call it a
best practice/good practice.
I appreciate the goal in the abstract - which is to say, don't do more work
than necessary (e.g. having an RSA-4096 signed by RSA-2048 is wasting
cycles *if* there's no other reason for it), but
> My understanding is that neither the BRs or any Root Program require that
> that subordinate CA key be weaker or equal in strength to the issuing CA's
> key.
>
> Additionally, such a requirement would prohibit cross-signs where a "legacy"
> root with a smaller key size would certify a new
My understanding is that neither the BRs or any Root Program require that that
subordinate CA key be weaker or equal in strength to the issuing CA's key.
Additionally, such a requirement would prohibit cross-signs where a "legacy"
root with a smaller key size would certify a new root CA with a
6 matches
Mail list logo
