[Cscwg-public] DSA SubCAs: are they allowed?

Corey Bonnell Corey.Bonnell at digicert.com
Wed Sep 15 13:50:03 UTC 2021


Hello,

In removing the algorithm encoding requirements from the RFC 3647 draft
CSBRs
(https://github.com/cabforum/code-signing/pull/6/commits/3e642a8cf2b5b1c7479
e7e5031a6301c2fd6b828), I encountered a potential inconsistency/ambiguity in
the current CSBRs and Microsoft Root Program requirements. Appendix A of the
current CSBRs allows for Roots and SubCAs to use a DSA key pair, but section
B of the Microsoft Root Program [1] requirements for Roots and SubCAs
seemingly do not by omission of DSA entirely.

 

Given this, is it safe to conclude that the Microsoft Root Program currently
prohibits DSA Roots and SubCAs? If so, can we disallow DSA ICAs in the RFC
3647 CSBRs to mirror the Microsoft Root Program requirements?

 

Thanks,

Corey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210915/ad4fa260/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210915/ad4fa260/attachment.p7s>


More information about the Cscwg-public mailing list