it looks like ecdsa allow list is currently manual process. but as it takes some time to automated to add account automatically as ecdsa-allowed when account meet some criteria?
like accounts registered with email ecdsa+username@domain.com (this will sent to inbox username@domain.com) are automatically inserted to ECDSA allow list, or if completely static code path wanted it could process as if it's in allow list when account key is RSA key that use unusual but secure parameter, like e=65539 . not sure standard ec key have this kind of free parameter to set.
4 Likes
We're sticking with the manual process for now, but hope to remove the allow-list entirely and open up ECDSA issuance for everyone in the near future.
9 Likes
@aarongable May I ask what kind of "checklist" there is before you can open up ECDSA issuance for everybody? Just being curious here.
6 Likes
I believe by making this opt-in initially they want to ensure that:
- There are no issues with ECDSA issuance, e.g no large scale bugs in boulder, and client implementations that work correctly (with ECC)
- ISRG Root X2 reaches (most) root programs. For example, Mozilla is currently blocked at waiting for discussion.
6 Likes
In addition to the above, we're trying to be careful to not rock the boat by changing too many things at the same time. In particular, we'd like to get past the DST Root CA X3 expiration in September and ensure that that goes smoothly before making other sweeping changes.
10 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.