All,
There are a few cases where customers are asking CAs for more time to
transition off of their 1024-bit certificates.
According to the Baseline Requirements, 1024-bit Subscriber Certificates
are supposed to be no longer valid by 31 Dec 2013.
According to https://wiki.mozilla.org/CA:MD5and1024
"All end-entity certificates with RSA key size smaller than 2048 bits
must expire by the end of 2013.
Under no circumstances should any party expect continued support
for RSA key size smaller than 2048 bits past December 31, 2013. This
date could get moved up substantially if necessary to keep our users
safe. We recommend all parties involved in secure transactions on the
web move away from 1024-bit moduli as soon as possible."
According to
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
"We consider the following algorithms and key sizes to be acceptable and
supported in Mozilla products: ...
RSA 1024 bits (only until December 31, 2013)."
Starting a few months ago, CAs began contacting me with their concerns
about meeting this deadline, and needing a little bit longer for
customers to complete their transitions.
I understand that this is not fair to the CAs who have done a great job
of transitioning off of 1024-bit certs. But I also understand some of
the timing issues that CAs' customers are running into.
We have not yet made the code change to prohibit 1024-bit certs, so for
Mozilla this is a question of policy.
I am inclined to grant more time to CAs for customers who are working
hard to transition off of 1024-bit certs, but need a little more time to
complete their transition.
Rather than creating another date for folks to complete their
transitions off of 1024-bit certs, I think I'd prefer to handle time
extensions on a case-by-case basis.
I'll appreciate your constructive input on this.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
