Well let's be clear about one thing: in Firefox land (as in others) there is no such thing as revocation; there is only changing the code. I think what Kathleen is saying is that starting Jan 1, Mozilla would like to take out the code supporting certs with small keys. What needs to be negotiated then is when end-entity cert holders will be prepared for their small keys to no longer work on _future_ versions of Mozilla products. A 1024-bit cert will always work with FF 24, for example. It may or may not work on version 30. If a cert holder is ok with that, I don't think there is really a problem. PKI gymnastics anyone?
On 11/12/13 22:31, Kathleen Wilson wrote: <snip> > According to https://wiki.mozilla.org/CA:MD5and1024 > "All end-entity certificates with RSA key size smaller than 2048 bits > must expire by the end of 2013. Kathleen, are you saying that "must expire by the end of 2013" is a "revocation requirement" ? Expiration != Revocation. Is there actually a requirement that says "By the end of 2013, CAs MUST revoke all unexpired certificates with <2048-bit RSA keys" ? If so, where is it written and when was it communicated to the CAs? (If it's not actually written anywhere, then can you actually enforce it?) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy