x509/policy: add WebPKI permitted algorithms #9548
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
|
xref https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf pages 97 ff. for the canonical encodings here. |
facutuesca
force-pushed
the
tob-webpki-permitted
branch
from
ac2c634
to
3dcc8a7
Compare
|
|
||
| /// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) | ||
| /// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf | ||
| pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy<HashSet<AlgorithmIdentifier<'_>>> = Lazy::new(|| { |
There was a problem hiding this comment.
How do you envision this being used?
There was a problem hiding this comment.
I envisoned it as part of the algorithms restriction functionality added with #9405: https://github.com/pyca/cryptography/pull/9405/files#diff-b15c4ba048c4bbef3e3e40afef6eaf31c7edcdd7d46627cb470c3c8db684a040R223-R254
There was a problem hiding this comment.
Ok we might need to take a step back here, because when we spoke I think we agreed to move away from the profiles idea, so I'm struggling a bit to understand how the pieces fit together here.
There was a problem hiding this comment.
Yeah, there are no more profiles in the current design -- there's only one "policy," and in our last discussion we came to the conclusion (IIRC) that the right way to offer configurability here was to allow "helper" instantiations like Policy::webpki() that pre-fill the things that would otherwise go under a full "profile."
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
This is another breakout from #8873 and #9405.
WIP while we work out some unexpected encodings.CC @facutuesca to take over.