[Servercert-wg] PSS is SubjectPublicKeyInfo
Wayne Thayer
wthayer at gmail.com
Sun Jan 10 16:19:35 UTC 2021
Hi Kurt,
This requirement was pulled into the BRs via ballot SC31 "Browser
Alignment" from the Mozilla Root Store Policy. You can find the origin of
Mozilla's requirement in discussions on the mozilla.dev.security.policy
list archives. This one is most relevant:
https://groups.google.com/g/mozilla.dev.security.policy/c/t3d1KrovIn4/m/CawabpAWBAAJ
- Wayne
On Sat, Jan 9, 2021 at 2:53 PM Kurt Roeckx via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi,
>
> The current document has this text:
> 7.1.3.1 SubjectPublicKeyInfo
> [...]
> 7.1.3.1.1 RSA
> The CA SHALL indicate an RSA key using the rsaEncryption (OID:
> 1.2.840.113549.1.1.1) algorithm identifier. The parameters MUST be present,
> and MUST be an explicit NULL. The CA SHALL NOT use a different algorithm,
> such as the id-RSASSA-PSS (OID: 1.2.840.113549.1.1.10) algorithm
> identifier, to indicate an RSA key.
>
> Why is id-RSASSA-PSS or id-RSAES-OAEP not allowed? RFC4055
> specifies the use of those OIDs to restrict the use of the RSA
> key. At least id-RSAES-OAEP is being used. Having the key
> type being id-RSASSA-PSS looks useful to me.
>
>
> Kurt
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210110/788793ca/attachment.html>
More information about the Servercert-wg
mailing list