All,
It has been brought to my attention that there is a discrepancy between
Mozilla policy and the Baseline Requirements regarding 1024-bit root certs.
https://wiki.mozilla.org/CA:MD5and1024
"December 31, 2013 – Soon after this date, Mozilla will disable the SSL
and Code Signing trust bits for root certificates with RSA key sizes
smaller than 2048 bits. If those root certificates are no longer needed
for S/MIME, then Mozilla will remove them from NSS."
Baseline Requirements Appendix A:
"** A Root CA Certificate issued prior to 31 Dec. 2010 with an RSA key
size less than 2048 bits MAY still serve as a trust anchor for
Subscriber Certificates issued in accordance with these Requirements."
Should we allow 1024-bit roots to continue to be enabled for SSL, as
long as the certs issued in their hierarchy are in compliance with the BRs?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
