Open Bug 1129077 Opened 9 years ago Updated 2 years ago

Remove support for certificates that use the P-521 curve

Categories

(Core :: Security: PSM, defect, P5)

defect

Tracking

()

mozilla38

People

(Reporter: briansmith, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Attachments

(1 file)

This bug is about the changes to PSM to drop P-521 support. See the discussion in bug 1128792. This is one of the final steps in implementing the cipher suite proposal [1].

Kathleen: The CA policy documents mention "P-512", which doesn't exist, but which was almost definitely intended to refer to P-521. We should remove that reference from the CA policy.

Note that these patch doesn't remove P-521 support from NSS or WebCrypto.

[1] https://briansmith.org/browser-ciphersuites-01.html
[2] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
Attachment #8558669 - Flags: review?(dkeeler)
Attachment #8558669 - Attachment is patch: true
Attachment #8558669 - Attachment mime type: text/x-patch → text/plain
Comment on attachment 8558669 [details] [diff] [review]
remove-P-521-from-Gecko-TLS.patch

Review of attachment 8558669 [details] [diff] [review]:
-----------------------------------------------------------------

Ok - r=me.

::: security/manager/ssl/tests/unit/test_keysize.js
@@ +92,5 @@
>  function checkECCChains() {
>    checkChain("prime256v1", 256,
>               "secp384r1", 384,
>               "secp521r1", 521,
> +             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);

With this change, we don't have a successful testcase for a chain consisting entirely of ECC keys - it would be nice to have one.
Attachment #8558669 - Flags: review?(dkeeler) → review+
Comment on attachment 8558669 [details] [diff] [review]
remove-P-521-from-Gecko-TLS.patch

Review of attachment 8558669 [details] [diff] [review]:
-----------------------------------------------------------------

This is a change that has potential compatibility impacts.  Please do not land until there has been some public discussion, e.g., on dev.tech.crypto.
Attachment #8558669 - Flags: review+ → review-
Hmm - for some reason I thought there had been some discussion around this. Maybe I'm thinking of the comments in bug 1128792, but it would be good to at least announce this on some mailing lists and see if anyone has any valid concerns. That said, the telemetry data does indicate that this is extremely seldom used. With a script I threw together, it seems there have been 93376331053 hits for ECDSA signatures in handshakes in telemetry. Of these, 14113 used P-521. If these handshakes were uniformly distributed at random among 400 million users, we would expect 60 people to be affected. The compatibility impact will probably be less than almost any other change we've made.
The cipher suite proposal [1] says that the client must list P-256 and P-384 in the supported curves extension in the ClientHello. However, it doesn't say that browsers should only support P-256 and P-384 or that we shouldn't support P-521. Thanks for pointing this out. I agree that it is worth posing to the mailing list. I will do so.

[1] https://briansmith.org/browser-ciphersuites-01
This is a bug worth fixing but I don't have the time to finish this, so unassigning myself.
Assignee: brian → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: