Closed Bug 1664325 Opened 4 years ago Closed 4 years ago

DigiCert: SHA-256 hash algorithm used with ECC P-384 key

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1654967

People

(Reporter: rob, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance] [ca-misissuance])

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#512-ecdsa says:
"When a root or intermediate certificate's ECDSA key is used to produce a signature, only the following algorithms may be used, and with the following encoding requirements:
...
If the signing key is P-384, the signature MUST use ECDSA with SHA-384."

https://crt.sh/?id=2517734974&opt=zlint,ocsp is signed by a P-384 key, but its signature uses ECDSA with SHA-256. Although this certificate is already revoked, I have not been able to find any incident report.

This appears to be a repeat of Bug #1527423.

Whiteboard: [ca-compliance]

This is already disclosed in https://bugzilla.mozilla.org/show_bug.cgi?id=1654967.

Please closed this as a duplicate bug.

Assignee: bwilson → brenda.bernal
Status: NEW → ASSIGNED

Er, sorry about that, assigned based on e-mail before I saw your update.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Sorry for the noise. It turns out that if I'd delved into Bugzilla's advanced search options a bit more and searched for the crt.sh URL amongst the comments, then I would have found the original bug.

Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ca-misissuance]
You need to log in before you can comment on or make changes to this bug.