[cabfpub] Fwd: Re: Proposal to add DSA 2048

Rick Andrews Rick_Andrews at symantec.com
Mon Mar 11 17:49:49 UTC 2013


Thanks for pointing this out. We don't support the "inheritance" of parameters - each cert in the chain needs to carry its own parameters. It makes the certs big, but avoids this potential problem.

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Adam Langley
> Sent: Monday, March 11, 2013 7:11 AM
> To: Erwann Abalea
> Cc: CABFPub
> Subject: Re: [cabfpub] Fwd: Re: Proposal to add DSA 2048
> 
> On Mon, Mar 11, 2013 at 6:32 AM, Erwann Abalea
> <erwann.abalea at keynectis.com> wrote:
> > It may be worth mentioning one other thing beyond Erwann's summary
> about DSA keys that is unlike RSA: that only part of the public key may
> be specified in the certificate, and it is expected to inherit the
> missing parameters from the parent certificate (or fail).  This is an
> odd sharp edge that came up in Public Key Pinning - and I'm sure it
> will cause some applications somewhere to crash ;)
> 
> I haven't seen Symantec's DSA certificates yet, but I very much hope
> that they don't do this. As I recall, this behaviour may be tested by
> PKITS and so may actually be supported in some certificate
> verification libraries. None the less, the world will be a simpler and
> better place if this corner of PKIX never sees the light of day. (And
> that hope may end up being expressed in code.)
> 
> 
> Cheers
> 
> AGL
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list