[cabfpub] [EXTERNAL]Re: P-521 Certificates

[Bruce Morton]

I agree.

Bruce.

> On Jan 8, 2019, at 1:53 PM, Doug Beattie via Public <public at cabforum.org> wrote:
> 
> Should we update the BRs to forbid P-521 given Mozilla root program forbids
> them?
> 
> -----Original Message-----
> From: dev-security-policy <dev-security-policy-bounces at lists.mozilla.org> On
> Behalf Of Jonathan Rudenberg via dev-security-policy
> Sent: Tuesday, January 8, 2019 1:31 PM
> To: dev-security-policy at lists.mozilla.org
> Subject: Re: P-521 Certificates
> 
>> On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote:
>> (Posting in a personal capacity as I am no longer employed by 
>> Trustwave)
>> 
>> Mozilla Root Store Policy section 5.1
>> (https://www.mozilla.org/en-US/about/governance/policies/security-grou
>> p/certs/policy/) prohibits the use of P-521 keys in root certificates 
>> included in the Mozilla trust store, as well as in any certificates 
>> chaining to these roots. This prohibition was made very clear in the 
>> discussion on this list in 2017 at 
>> 
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC
> 8/fsKobHABAwAJ.
>> 
>> Below is a list of unexpired, unrevoked certificates which contain 
>> P-521 public keys (grouped by CA Owner and ordered by notBefore):
> 
> I've created https://misissued.com/batch/43/ to track these.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> WARNING: This email originated outside of Entrust Datacard.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public