Closed
Bug 724038
Opened 12 years ago
Closed 11 years ago
2048-bit primes are now valid for DSA certificates
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wtc, Assigned: kathleen.a.wilson)
Details
In Mozilla CA Certificate Inclusion Policy (Version 2.0) (http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html), Section 4, the following examples of certificate problems are listed: * ASN.1 DER encoding errors; * invalid public keys (e.g., DSA certificates with 2048-bit primes, or RSA certificates with public exponent equal to 1); * duplicate issuer names and serial numbers; ... I suggest that "DSA certificates with 2048-bit primes" be removed from the second bullet item. In FIPS 186-2, DSA primes must be 512 ~ 1024 bits long, so 2048-bit primes are invalid. But in FIPS 186-3, DSA primes must be 1024, 2048, or 3072 bits long. So under the new standard, 2048-bit primes are valid for DSA certificates, even though NSS doesn't support them yet. Note: FIPS 186-2 and 186-3 mean the second and the third revision of FIPS 186. So it is now wrong to call such DSA public keys with 2048-bit primes "invalid".
|
Assignee | |
Comment 1•12 years ago
|
||
Thanks for pointing this out. I have updated https://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html to indicate that this text should be removed... DELETE (bug #724038): , DSA certificates with 2048-bit primes, or means that the text in bold should be deleted as per this bug.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•11 years ago
|
||
Fixed in http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Product: mozilla.org → NSS
|
||
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•