One suggestion for a future revision of the CA Cert Policy is that we should specify minimum key sizes, either just for roots or for roots, intermediates and end entity certificates. The exact restrictions would need to be discussed, but doubtless we would take into account the views of our crypto team and advice from places like NIST. Gerv
Mozilla does not usually pre-install intermediate or site certificates into its products. Thus, if the policy does indeed address intermediate or site certificates, the policy must then make clear what happens when such certificates fail to comply with the minimum key size. For example, will Mozilla products fail to establish a secure session with a non-compliant key. Or will the products merely refuse to import such certificates into their databases?
Assignee: gerv → nobody
Discussion of this sort of thing now happens in mozilla.dev.security.policy, and documents are prepared on the wiki. So this information has been moved to: https://wiki.mozilla.org/CA:Problematic_Practices which seems the right sort of place for it to be if it's going to be taken into account for future policy revisions. There's no good resolution to use; INVALID will have to do. Gerv
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.