On 12/11/13 2:55 PM, Gervase Markham wrote:
On 11/12/13 14:31, Kathleen Wilson wrote:
There are a few cases where customers are asking CAs for more time to
transition off of their 1024-bit certificates.
What exactly are CAs asking for? Are they asking for permission to
continue issuing such certs? Or are they asking for permission to "not
revoke" such certs?
They are asking for permission to "not revoke" such certs.
Are the certs concerned ones which are in environments where the servers
using them would be accessed by a consumer web browser?
According to the Baseline Requirements, 1024-bit Subscriber Certificates
are supposed to be no longer valid by 31 Dec 2013.
Correct, but the effective date of the BRs was 01-Jul-12...
So such CAs would fail a BR audit if one were to take place between 31st
Dec 2013 and the time when those certs expire or are revoked?
Yes.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
"The first BR audit for each CA and subCA may include a reasonable list
of BRs that the CA (or subCA) is not yet in compliance with. The second
BR audit (the following year) is expected to confirm that the issues
that were listed in the previous BR audit have been resolved."
Starting a few months ago, CAs began contacting me with their concerns
about meeting this deadline, and needing a little bit longer for
customers to complete their transitions.
Are we able to say roughly how many CAs are involved? And of those CAs,
how many customers have problems? And for those customers, how many
certs are involved?
Well, I received an influx of emails from CAs as soon as I posted this.
I thought it was 3 or 4 CAs that would need longer, but now it looks
like more.
From Jeremy:
If you are granting more time, I have a whole bunch of customers who are not
happy about the 2013 cutoff. Extending it for some CAs is patently unfair
to those of us who have taken a hard stance on the deadline and not
requested extensions of time. If you are granting some CAs an extension,
you'll probably get a lot more requests from the rest of us.
Good point. So, if we are going to grant any extended timelines, we
should set another date.
The dates I've heard cluster around the May 2014 time frame.
From Rob:
Kathleen, are you saying that "must expire by the end of 2013" is a "revocation
requirement" ?
Expiration != Revocation.
Is there actually a requirement that says "By the end of 2013, CAs MUST revoke all
unexpired certificates with <2048-bit RSA keys" ?
If so, where is it written and when was it communicated to the CAs?
(If it's not actually written anywhere, then can you actually enforce it?)
In BR Appendix A
Subscriber Certificates
Minimum RSA modulus
"Validity period ending on or before 31 Dec 2013"
1024
"Validity period ending after 31 Dec 2013"
2048
From Peter:
A 1024-bit cert will always work with FF 24, for example. It may or may not
work on version 30. If a cert holder is ok with that, I don't think there is
really a problem.
Correct. Mozilla policy and wiki pages say "Under no circumstances
should any party expect continued support for RSA key size smaller than
2048 bits past December 31, 2013"
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
