commit 347ada71cc7c6cae7e38a74360bd8434c4f31405
author Gilles Peskine <Gilles.Peskine@arm.com> Mon Jun 07 21:24:26 2021 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Jun 07 21:30:15 2021 +0200
tree 6143bbc6411bb9f5bf26e130bcd7fc95556152a0
parent 806281a663e41af88c95581a2403fbbecd3f6624

Document more precisely what goes into the default profile

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index c38e0c0..30da190 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -229,12 +229,21 @@
 /**
  * Default security profile. Should provide a good balance between security
  * and compatibility with current deployments.
+ *
+ * This profile permits:
+ * - SHA2 hashes.
+ * - All supported elliptic curves.
+ * - RSA with 2048 bits and above.
+ *
+ * New minor versions of Mbed TLS may extend this profile, for example if
+ * new curves are added to the library. New minor versions of Mbed TLS will
+ * not reduce this profile unless serious security concerns require it.
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
 
 /**
  * Expected next default profile. Recommended for new deployments.
- * Currently targets a 128-bit security level, except for RSA-2048.
+ * Currently targets a 128-bit security level, except for allowing RSA-2048.
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;