On Wed, Oct 06, 2010 at 01:32:00PM -0500, Matt Crawford wrote: > > That is, if your CA key size is smaller, stop signing with it.
You may have missed the next sentence of Mozilla's statement: > All CAs should stop issuing intermediate and end-entity certificates with > RSA key size smaller than 2048 bits under any root. That is, no matter how long your root key is (the previous sentence stated the requirements about _that_) you may not use it to sign any end-entity certificate whose key size is < 2048 bits. Gun: check. Bullets: check. Feet: check. Now they have everything they need to prevent HTTPS Everywhere. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com