[cabfpub] P-521 Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Tue Jan 8 18:54:37 UTC 2019

I don't think so. Microsoft specifically allows them. There are probably use
cases for MS only roots where trust in the OS is needed but not trust in

-----Original Message-----
From: Public <public-bounces at cabforum.org> On Behalf Of Doug Beattie via
Sent: Tuesday, January 8, 2019 11:53 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] P-521 Certificates

Should we update the BRs to forbid P-521 given Mozilla root program forbids

-----Original Message-----
From: dev-security-policy <dev-security-policy-bounces at lists.mozilla.org> On
Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Tuesday, January 8, 2019 1:31 PM
To: dev-security-policy at lists.mozilla.org
Subject: Re: P-521 Certificates

On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote:
> (Posting in a personal capacity as I am no longer employed by
> Trustwave)
> Mozilla Root Store Policy section 5.1
> (https://www.mozilla.org/en-US/about/governance/policies/security-grou
> p/certs/policy/) prohibits the use of P-521 keys in root certificates 
> included in the Mozilla trust store, as well as in any certificates 
> chaining to these roots. This prohibition was made very clear in the 
> discussion on this list in 2017 at
> Below is a list of unexpired, unrevoked certificates which contain
> P-521 public keys (grouped by CA Owner and ordered by notBefore):

I've created https://misissued.com/batch/43/ to track these.
dev-security-policy mailing list
dev-security-policy at lists.mozilla.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190108/223c7fca/attachment-0003.p7s>

More information about the Public mailing list