Open clintwilson opened 4 months ago
Thank you @clintwilson!
I suppose that the logic currently is...
if key in allowed {
return PASS
} else {
return FAIL
}
...when it should be a bit more nuanced and warn
that you are using keys that are allowed, but that may not work...
if key in allowed {
return PASS
} else if key in unsupported {
return WARN
} else {
return FAIL
}
Do you believe that this would be a more accurate lint?
e_mp_ecdsa_pub_key_encoding_correct and e_mp_ecdsa_signature_encoding_correct are (I believe) written based on the Mozilla Root Program Policy prohibiting P-521 keys, but this policy does not actually currently prohibit P-521 per Section 5.1:
Unfortunately this does somewhat conflict with the statement preceding this:
However, based on discussions with Mozilla and their Issue 281 it seems absolutely clear that the intent is not to restrict certificates using P-521 curve from existing. Thus, I believe the above referenced lints can be removed -- however if they're doing more than checking for compliance with this section of the Mozilla policy, then they may instead warrant adjustment rather than removal.
Related Issues: #354 #355 #358