DigiCert: SHA-256 hash algorithm used with ECC P-384 key
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: rob, Assigned: brenda.bernal)
Details
(Whiteboard: [ca-compliance] [ca-misissuance])
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#512-ecdsa says:
"When a root or intermediate certificate's ECDSA key is used to produce a signature, only the following algorithms may be used, and with the following encoding requirements:
...
If the signing key is P-384, the signature MUST use ECDSA with SHA-384."
https://crt.sh/?id=2517734974&opt=zlint,ocsp is signed by a P-384 key, but its signature uses ECDSA with SHA-256. Although this certificate is already revoked, I have not been able to find any incident report.
This appears to be a repeat of Bug #1527423.
Reporter | ||
Updated•4 years ago
|
Comment 1•4 years ago
|
||
This is already disclosed in https://bugzilla.mozilla.org/show_bug.cgi?id=1654967.
Please closed this as a duplicate bug.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Er, sorry about that, assigned based on e-mail before I saw your update.
Reporter | ||
Comment 3•4 years ago
|
||
Sorry for the noise. It turns out that if I'd delved into Bugzilla's advanced search options a bit more and searched for the crt.sh URL amongst the comments, then I would have found the original bug.
Updated•2 years ago
|
Updated•1 year ago
|
Description
•