On Wednesday 04 June 2008 12:25:32 Kyle Hamilton wrote: > There has been evidence of Microsoft, at the least, following this > group and acting on good ideas that started here. While it'd be nice > if that organization would comment here, I think that if they like > this plan (or anything like this plan) they'll implement it and it'll > end up being a fait accompli.
FYI, Microsoft already require a minimum 2048-bit RSA key size for new Root Certificate submissions. http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true says... "Updated: January 22, 2008 ... 4. Root certificates must comply with the Technical Requirements section below. In particular, we require a minimum crypto key size of RSA 2048-bit modulus for any root and all issuing CAs. Microsoft will no longer accept root certificates with RSA 1024-bit modulus of any expiration. We prefer that new roots are valid for at least 8 years from date of submission but expire before the year 2030, especially if they have a 2048-bit RSA modulus." > January 1 2009 particularly because it provides slightly less than 2 > quarters of notice. Honestly, I would be quite happy if it went into > effect immediately; however, I do know that some Cisco VPN equipment > doesn't like 4096-bit root keys. I don't know if it likes 2048-bit > keys. > > I would treat 'new' as 'new request'. > > And I don't know if anyone's tried to submit a 1024-bit root recently. > > -Kyle H > > On Wed, Jun 4, 2008 at 2:14 AM, Gervase Markham <[EMAIL PROTECTED]> wrote: > > Paul Hoffman wrote: > >> Proposal: > >> a) Starting January 1 2009, all new CA roots must be 2048 bit RSA or 256 > >> bit EC. > > > > Why January 1 2009 particularly? > > > > By new, do you mean newly-generated, or new to us? > > > > Has any CA actually attempted to get a recently-generated 1024-bit root > > included? > > > >> b) Starting January 1 2014, all CA roots must be 2048 bit RSA or 256 bit > >> EC. > > > > It would make most sense to coordinate such a policy with other browser > > vendors, if possible. > > > > Gerv > > _______________________________________________ > > dev-tech-crypto mailing list > > dev-tech-crypto@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-tech-crypto > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto