CertificateTransparency icon indicating copy to clipboard operation
CertificateTransparency copied to clipboard

Published 20 hours ago verified publisher icon GoogleChrome

Define accepted log public keys

Open sleevi opened this issue 5 years ago • 2 comments

The Chromium implementation of CT is limited in support of public keys to the set of public keys it accepts for the Web PKI:

  • RSA (nominally, 2048, 3072, 4096)
  • ECC using NIST P-256, P-384

The Chromium implementation does not explicitly support Curve25519, although it could, and does not support other forms of EC keys.

sleevi avatar Feb 18 '20 12:02 sleevi

We also need to check what key algs our compliance monitoring infrastructure supports to provide the minimal set of supportable key types.

devonobrien avatar Feb 18 '20 12:02 devonobrien

Also, of note is Section 2.1.4 of RFC 6962 which states:

Various data structures are signed. A log MUST use either elliptic curve signatures using the NIST P-256 curve (Section D.1.2.3 of the Digital Signature Standard [DSS]) or RSA signatures (RSASSA-PKCS1- V1_5 with SHA-256, Section 8.2 of [RFC3447]) using a key of at least 2048 bits.

devonobrien avatar Feb 18 '20 14:02 devonobrien