The cryptographic requirements for Code Signing Certificates will change on 2021-06-01.
172 views
Skip to first unread message
Sándor dr. Szőke
May 25, 2021, 12:40:19 PM5/25/21
to dev-secur...@mozilla.org
Version 2.3 (May 3, 2021) of Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates
says in the first table of
"Appendix A Minimum Cryptographic Algorithm and Key Size Requirements"
that
Code Signing Certificates issued on or after the transition date and their corresponding Root Certificates and Subordinate CA Certificates:
Minimum RSA modulus size (bits): 3072
Transition Date: June 1, 2021
Minimum RSA modulus size (bits): 3072
Transition Date: June 1, 2021
In general, all requirements of CABF documents apply only to certificate issuance that takes place after the specified deadlines, including those for CA certificates.
However, in this case, we interpret the requirement for RSA keys as follows:
From the transition date, all of the following requirements shall be met at the same time:
- the Code Signing Certificate shall be issued for at least 3072-bit keys
- the issuing intermediate CA shall have at least 3072-bit RSA key, even if it was issued prior to the transition date
- the root CA shall have at least 3072-bit RSA key, even if it was issued prior to the transition date
So after the transition date, there is no way to issue Code Signing Certificates under a root CA having a 2048-bit RSA key .
Is our interpretation correct?
Ryan Sleevi
May 25, 2021, 2:06:56 PM5/25/21
to Sándor dr. Szőke, dev-secur...@mozilla.org
You would benefit from asking the ques...@cabforum.com list instead.
Neither the Mozilla nor Google Root Programs make use of the document referenced as part of their root programs. You may wish to speak to Microsoft, the only root program (to my knowledge) that makes use of that document, or use the ques...@cabforum.org to ask the Code Signing WG.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3a4d44f4-9c68-4c93-ae8d-43c19383a798n%40mozilla.org.
Matt Palmer
May 25, 2021, 7:52:34 PM5/25/21
to dev-secur...@mozilla.org
On Tue, May 25, 2021 at 08:06:42AM -1000, Ryan Sleevi wrote:
> You would benefit from asking the ques...@cabforum.com list instead.
As shown later in the post, this should actually be ques...@cabforum.org.
> You would benefit from asking the ques...@cabforum.com list instead.
- Matt
Sándor dr. Szőke
May 26, 2021, 5:10:21 AM5/26/21
to dev-secur...@mozilla.org, Matt Palmer
Thank you for the information, I will send my question to ques...@cabforum.org.
Reply all
Reply to author
Forward
0 new messages