On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote: > On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > >> From https://wiki.mozilla.org/CA:MD5and1024: >> >> December 31, 2010 - CAs should stop issuing intermediate and end-entity >> certificates from roots with RSA key sizes smaller than 2048 bits [0]. All >> CAs should stop issuing intermediate and end-entity certificates with RSA >> key size smaller than 2048 bits under any root. >> >> [...] >> >> [0] This is ambiguously worded, but it's talking about key sizes in EE certs. > > What are "EE certs", did you mean "EV"?
EE = End Entity, but I don't read the first sentence the way Peter did. I parse it as >> CAs should stop issuing (intermediate and end-entity >> certificates) from (roots with RSA key sizes smaller than 2048 bits). That is, if your CA key size is smaller, stop signing with it. Of course, if it's important to stop signing with it, it's equally important to revoke all signatures already made.
smime.p7s
Description: S/MIME cryptographic signature
