[cabfpub] P-521 Certificates

Doug Beattie doug.beattie at globalsign.com
Tue Jan 8 18:52:43 UTC 2019


Should we update the BRs to forbid P-521 given Mozilla root program forbids
them?

-----Original Message-----
From: dev-security-policy <dev-security-policy-bounces at lists.mozilla.org> On
Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Tuesday, January 8, 2019 1:31 PM
To: dev-security-policy at lists.mozilla.org
Subject: Re: P-521 Certificates

On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote:
> (Posting in a personal capacity as I am no longer employed by 
> Trustwave)
> 
> Mozilla Root Store Policy section 5.1
> (https://www.mozilla.org/en-US/about/governance/policies/security-grou
> p/certs/policy/) prohibits the use of P-521 keys in root certificates 
> included in the Mozilla trust store, as well as in any certificates 
> chaining to these roots. This prohibition was made very clear in the 
> discussion on this list in 2017 at 
>
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC
8/fsKobHABAwAJ.
> 
> Below is a list of unexpired, unrevoked certificates which contain 
> P-521 public keys (grouped by CA Owner and ordered by notBefore):

I've created https://misissued.com/batch/43/ to track these.
_______________________________________________
dev-security-policy mailing list
dev-security-policy at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5716 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20190108/8bcfc7a5/attachment.p7s>


More information about the Public mailing list