Policy Update: section 8 of Maintenance Policy

[Kathleen Wilson]

The next two topics to discuss [1] have to do with section 8 of
Mozilla’s CA Certificate Maintenance Policy.

The proposals are:
- (D15) Deprecate SHA-1 Hash Algorithms in certs.
and
- (D4) In item #8 of the Maintenance Policy recommend that CAs avoid
SHA-512 and P-521, especially in their CA certificates. This is to
ensure interoperability, as SHA-512 and (especially) P-521 are less
well-supported than the other algorithms. (Note: On the page you linked
to, P-521 is incorrectly spelled "P-512".)
-- Not sure if we should make this change...

Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to
remove support for certs signed using SHA-512-based signatures, but it
was closed as invalid, and SHA-512 support was fixed via
https://bugzilla.mozilla.org/show_bug.cgi?id=1155932

Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to
remove support for certs that use the P-521 curve. But this is still up
for discussion.

So, do we really want to add a comment to Mozilla's policy about limited
support for SHA-512 and P-521?

Here's what Mozilla's policy currently says:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- SHA-1 (until a practical collision attack against SHA-1 certificates
is imminent);
- SHA-256, SHA-384, SHA-512;
- Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
SECG and NIST named curves P-256, P-384, and P-512;
- RSA 2048 bits or higher; and
- RSA 1024 bits (only until December 31, 2013).
~~

I recommend that we change it to the following:
~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- SHA-256, SHA-384, SHA-512;
- Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
SECG and NIST named curves P-256, P-384, and P-521; and
- RSA 2048 bits or higher.
~~

Another option is to delete this section from Mozilla's policy, because
it is covered by the Baseline Requirements. However, the Baseline
Requirements allows for DSA, which Mozilla does not support.
The “Key Sizes” section of the Baseline Requirements allows for:
SHA‐256, SHA‐384 or SHA‐512
NIST P‐256, P‐384, or P‐521
DSA L= 2048, N= 224 or L= 2048, N= 256


As always, I will appreciate your thoughtful and constructive input into
this discussion.

Kathleen

[1]
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed

[David E. Ross]

Rather than list acceptable key types and sizes, cite the Baseline
Requirements along with listing exceptions, both types and sizes that
are not supported but are in the BR and types and sizes that are
supported but are not in the BR. I would not be surprised if the latter
would be an empty list.

--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.

[Kathleen Wilson]

On 11/5/15 10:58 AM, David E. Ross wrote:
>
> Rather than list acceptable key types and sizes, cite the Baseline
> Requirements along with listing exceptions, both types and sizes that
> are not supported but are in the BR and types and sizes that are
> supported but are not in the BR. I would not be surprised if the latter
> would be an empty list.
>

That would look like:
~~
8. We consider the algorithms and key sizes specified in section 6.1.5
of version 1.3 or later of the CA/Browser Forum Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates to be
acceptable and supported in Mozilla products; with the following exceptions.
- Mozilla does not support DSA keys
~~

Correct?

Thanks,
Kathleen

[s...@gmx.ch]

I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
The later one is not that far away [1].
Maybe it's the right time to consider them?

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105

Am 05.11.2015 um 19:46 schrieb Kathleen Wilson:
> The next two topics to discuss [1] have to do with section 8 of
> Mozilla’s CA Certificate Maintenance Policy.
>
> The proposals are:
> - (D15) Deprecate SHA-1 Hash Algorithms in certs.
> and
> - (D4) In item #8 of the Maintenance Policy recommend that CAs avoid
> SHA-512 and P-521, especially in their CA certificates. This is to
> ensure interoperability, as SHA-512 and (especially) P-521 are less
> well-supported than the other algorithms. (Note: On the page you
> linked to, P-521 is incorrectly spelled "P-512".)
> -- Not sure if we should make this change...
>
> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to
> remove support for certs signed using SHA-512-based signatures, but it
> was closed as invalid, and SHA-512 support was fixed via
> https://bugzilla.mozilla.org/show_bug.cgi?id=1155932
>
> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to
> remove support for certs that use the P-521 curve. But this is still
> up for discussion.
>
> So, do we really want to add a comment to Mozilla's policy about
> limited support for SHA-512 and P-521?
>
> Here's what Mozilla's policy currently says:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
>

> ~~

> 8. We consider the following algorithms and key sizes to be acceptable
> and supported in Mozilla products:
> - SHA-1 (until a practical collision attack against SHA-1 certificates
> is imminent);
> - SHA-256, SHA-384, SHA-512;
> - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
> SECG and NIST named curves P-256, P-384, and P-512;
> - RSA 2048 bits or higher; and
> - RSA 1024 bits (only until December 31, 2013).
> ~~
>
> I recommend that we change it to the following:

> ~~

> 8. We consider the following algorithms and key sizes to be acceptable
> and supported in Mozilla products:
> - SHA-256, SHA-384, SHA-512;
> - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
> SECG and NIST named curves P-256, P-384, and P-521; and
> - RSA 2048 bits or higher.
> ~~
>
> Another option is to delete this section from Mozilla's policy,
> because it is covered by the Baseline Requirements. However, the
> Baseline Requirements allows for DSA, which Mozilla does not support.
> The “Key Sizes” section of the Baseline Requirements allows for:
> SHA‐256, SHA‐384 or SHA‐512
> NIST P‐256, P‐384, or P‐521
> DSA L= 2048, N= 224 or L= 2048, N= 256
>
>
> As always, I will appreciate your thoughtful and constructive input
> into this discussion.
>
> Kathleen
>
> [1]
> https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[David E. Ross]

Yes, that is what I meant. It is much shorter than listing what Mozilla
supports and potentially reduces the need to update the policy when the
BR is updated PROVIDING Mozilla indeed supports whatever the BR update
contains.

[Kurt Roeckx]

On 2015-11-05 19:46, Kathleen Wilson wrote:
>
> Another option is to delete this section from Mozilla's policy, because
> it is covered by the Baseline Requirements. However, the Baseline
> Requirements allows for DSA, which Mozilla does not support.

Maybe the BR should be updated to remove DSA support?


Kurt

[Kurt Roeckx]

On 2015-11-05 21:01, s...@gmx.ch wrote:
> I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
> The later one is not that far away [1].
> Maybe it's the right time to consider them?
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105

This is about certificate, so as far as I know it would be Ed25519, not
curve25519.

I'm not sure there is any standard to do either SHA-3 or Ed25519 in a
certificate, but for Ed25519 there is at least a draft.

Reading that bug, I'm also concerned about the implementation that NSS
is considering using for curve25519. Like Watson Ladd indicated, they
should not convert it to the short Weierstrass form.


Kurt

[Rob Stradling]

On 05/11/15 20:01, s...@gmx.ch wrote:
> I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
> The later one is not that far away [1].
> Maybe it's the right time to consider them?

I would like to (and I expect to) see these in a future version of the BRs.

There seems little point in the Mozilla CA Policy permitting additional
algorithms that the BRs don't currently permit. If the
Microsoft/Apple/Google/etc CA policies don't permit these algorithms,
then CAs can't use them anyway.

> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105
>
>
> Am 05.11.2015 um 19:46 schrieb Kathleen Wilson:
>> The next two topics to discuss [1] have to do with section 8 of
>> Mozilla’s CA Certificate Maintenance Policy.
>>
>> The proposals are:
>> - (D15) Deprecate SHA-1 Hash Algorithms in certs.
>> and
>> - (D4) In item #8 of the Maintenance Policy recommend that CAs avoid
>> SHA-512 and P-521, especially in their CA certificates. This is to
>> ensure interoperability, as SHA-512 and (especially) P-521 are less
>> well-supported than the other algorithms. (Note: On the page you
>> linked to, P-521 is incorrectly spelled "P-512".)
>> -- Not sure if we should make this change...
>>
>> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to
>> remove support for certs signed using SHA-512-based signatures, but it
>> was closed as invalid, and SHA-512 support was fixed via
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1155932
>>
>> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to
>> remove support for certs that use the P-521 curve. But this is still
>> up for discussion.
>>
>> So, do we really want to add a comment to Mozilla's policy about
>> limited support for SHA-512 and P-521?
>>
>> Here's what Mozilla's policy currently says:
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
>>

>> ~~

>> 8. We consider the following algorithms and key sizes to be acceptable
>> and supported in Mozilla products:
>> - SHA-1 (until a practical collision attack against SHA-1 certificates
>> is imminent);
>> - SHA-256, SHA-384, SHA-512;
>> - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
>> SECG and NIST named curves P-256, P-384, and P-512;
>> - RSA 2048 bits or higher; and
>> - RSA 1024 bits (only until December 31, 2013).
>> ~~
>>
>> I recommend that we change it to the following:

>> ~~

>> 8. We consider the following algorithms and key sizes to be acceptable
>> and supported in Mozilla products:
>> - SHA-256, SHA-384, SHA-512;
>> - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over
>> SECG and NIST named curves P-256, P-384, and P-521; and
>> - RSA 2048 bits or higher.
>> ~~
>>

>> Another option is to delete this section from Mozilla's policy,
>> because it is covered by the Baseline Requirements. However, the
>> Baseline Requirements allows for DSA, which Mozilla does not support.

>> The “Key Sizes” section of the Baseline Requirements allows for:
>> SHA‐256, SHA‐384 or SHA‐512
>> NIST P‐256, P‐384, or P‐521
>> DSA L= 2048, N= 224 or L= 2048, N= 256
>>
>>
>> As always, I will appreciate your thoughtful and constructive input
>> into this discussion.
>>
>> Kathleen
>>
>> [1]
>> https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed
>> _______________________________________________
>> dev-security-policy mailing list
>> dev-secur...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

[Brian Smith]

Kathleen Wilson <kwi...@mozilla.com> wrote:

> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129083 was filed to
> remove support for certs signed using SHA-512-based signatures, but it was
> closed as invalid, and SHA-512 support was fixed via
> https://bugzilla.mozilla.org/show_bug.cgi?id=1155932

A P-256 signature cannot hold an entire SHA-384 or SHA-512 hash; the hash
will get truncated to 256 bits. Similarly, a P-384 signature cannot hold a
SHA-512 hash. While it isn't completely wrong to use a too-big hash, it is
kind of silly to do so.

> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1129077 was filed to
> remove support for certs that use the P-521 curve. But this is still up
> for discussion.

The issue with P-521 is simply one of compatibility with the broadest set
of products. Products basically *have* to support P-256 and P-384 because
that is what CAs are already using. But, lots of products can (and, it
seems, are planning to, or already are) omitting support for P-521. Thus,
even though Mozilla's products support P-521, it is worth steering towards
the more-compatible algorithms.

Also, is NSS's P-521 implementation actually production-quality? Has it
received proper QA. Check out:
https://bugzilla.mozilla.org/show_bug.cgi?id=650338
https://bugzilla.mozilla.org/show_bug.cgi?id=536389
https://bugzilla.mozilla.org/show_bug.cgi?id=325495
https://bugzilla.mozilla.org/show_bug.cgi?id=319252

I've forgotten exactly why now, but I remember thinking that I didn't feel
good about the P-521 implementation. And, IMO, it isn't worth spending time
working on P-521 considering the amount of work that is pending for
Curve25519, P-256, P-384, and Ed448.

I recommend that we change it to the following:
> ~~
> 8. We consider the following algorithms and key sizes to be acceptable and
> supported in Mozilla products:
> - SHA-256, SHA-384, SHA-512;
> - Elliptic Curve Digital Signature Algorithm (using ANSI X9.62) over SECG
> and NIST named curves P-256, P-384, and P-521; and
> - RSA 2048 bits or higher.
> ~~
>

I suggest:

~~
8. We consider the following algorithms and key sizes to be acceptable and
supported in Mozilla products:

- ECDSA using the P-256 curve and SHA-256.
- ECDSA using the P-384 curve and SHA-384.
- RSA using a 2048-bit or larger modulus, using SHA-256, SHA-384, or
SHA-512.

~~




> Another option is to delete this section from Mozilla's policy, because it
> is covered by the Baseline Requirements. However, the Baseline Requirements
> allows for DSA, which Mozilla does not support.
> The “Key Sizes” section of the Baseline Requirements allows for:
> SHA‐256, SHA‐384 or SHA‐512
> NIST P‐256, P‐384, or P‐521
> DSA L= 2048, N= 224 or L= 2048, N= 256
>

I suggest that Mozilla use the text I suggest above, and also propose it to
CABForum as the new CABForum language. Then, if/when CABForum adopts it,
replace the Mozilla policy text with a reference to the CABForum text in a
future version.

Cheers,
Brian
--
https://briansmith.org/

[rba...@mozilla.com]

I'm all for modern crypto, but to be honest, these are a little far away. The OIDs for Ed25519 aren't final yet, and I'm not aware of any work on putting SHA-3 in X.509 yet.

I think the right approach here is to delegate this to the BRs.

--Richard

[Kathleen Wilson]

There are two proposals on the table...

Proposal A:
~~

8. We consider the algorithms and key sizes specified in section 6.1.5
of version 1.3 or later of the CA/Browser Forum Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates to be
acceptable and supported in Mozilla products; with the following exceptions.

- Mozilla does not and will not support DSA keys
- Mozilla does not currently support ECC curve P-521
~~


Proposal B:

~~
8. We consider the following algorithms and key sizes to be acceptable
and supported in Mozilla products:
- ECDSA using the P-256 curve and SHA-256.
- ECDSA using the P-384 curve and SHA-384.
- RSA using a 2048-bit or larger modulus, using SHA-256, SHA-384, or
SHA-512.
~~

I believe that both proposals say basically the same thing.

Proposal A might not a good idea if the BRs are ever updated to add key
sizes or algorithms that Mozilla does not actually support. But updating
the BRs does require a vote in the CA/Browser Forum, so I think it's
safe to assume that Mozilla would be involved in any such changes.

I think Proposal A is easier to maintain.

I think Proposal B is easier to read and understand.

Proposal B will have to be updated every time something changes.


So, at this point I vote for Proposal A.

What do you all think?

Kathleen

[Rob Stradling]

On 20/11/15 00:34, Kathleen Wilson wrote:
> There are two proposals on the table...
>
> Proposal A:

> ~~

> 8. We consider the algorithms and key sizes specified in section 6.1.5
> of version 1.3 or later of the CA/Browser Forum Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates to be
> acceptable and supported in Mozilla products; with the following
> exceptions.
> - Mozilla does not and will not support DSA keys
> - Mozilla does not currently support ECC curve P-521

<snip>

> So, at this point I vote for Proposal A.

+1

> What do you all think?
>
> Kathleen

[Richard Barnes]

On Fri, Nov 20, 2015 at 2:14 AM, Rob Stradling <rob.st...@comodo.com>
wrote:

> On 20/11/15 00:34, Kathleen Wilson wrote:
>
>> There are two proposals on the table...
>>
>> Proposal A:

>> ~~

>> 8. We consider the algorithms and key sizes specified in section 6.1.5
>> of version 1.3 or later of the CA/Browser Forum Baseline Requirements
>> for the Issuance and Management of Publicly-Trusted Certificates to be
>> acceptable and supported in Mozilla products; with the following
>> exceptions.
>> - Mozilla does not and will not support DSA keys
>> - Mozilla does not currently support ECC curve P-521
>>
> <snip>
>
>> So, at this point I vote for Proposal A.
>>
>
> +1
>

+1


>
> What do you all think?
>>
>> Kathleen
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online