On Wed, Oct 06, 2010 at 01:32:00PM -0500, Matt Crawford wrote:
>
> That is, if your CA key size is smaller, stop signing with it.
You may have missed the next sentence of Mozilla's statement:
> All CAs should stop issuing intermediate and end-entity certificates with
> RSA key size smaller than 2048 bits under any root.
That is, no matter how long your root key is (the previous sentence
stated the requirements about _that_) you may not use it to sign any
end-entity certificate whose key size is < 2048 bits.
Gun: check.
Bullets: check.
Feet: check.
Now they have everything they need to prevent HTTPS Everywhere.
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
