The only criteria on the Webtrust BR audit (http://www.webtrust.org/homepage-documents/item27839.aspx) is section 11. Since the BRs will only apply to certificates issued since the last audit, and the MS policy prohibited issuance after Dec 2010, there shouldn't be many/any audits with a qualification because of non-revoked 1024 bit certs.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Jeremy Rowley Sent: Wednesday, December 11, 2013 6:01 PM To: 'Rob Stradling'; 'Kathleen Wilson'; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Exceptions to 1024-bit cert revocation requirement The requirement is from Mozilla's policy, not the BRs: https://wiki.mozilla.org/CA:MD5and1024 Note that the Microsoft policy doesn't require revocation. Instead, they required all CAs to stop issuing 1024 bit certs as of Dec 31, 2010 (http://technet.microsoft.com/en-us/library/cc751157.aspx). The certificates are expiring naturally. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Rob Stradling Sent: Wednesday, December 11, 2013 5:44 PM To: Kathleen Wilson; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Exceptions to 1024-bit cert revocation requirement On 12/12/13 00:25, Kathleen Wilson wrote: <snip> > From Rob: >> Kathleen, are you saying that "must expire by the end of 2013" is a >> "revocation requirement" ? >> >> Expiration != Revocation. >> >> Is there actually a requirement that says "By the end of 2013, CAs >> MUST revoke all unexpired certificates with <2048-bit RSA keys" ? >> If so, where is it written and when was it communicated to the CAs? >> >> (If it's not actually written anywhere, then can you actually enforce >> it?) > > In BR Appendix A > > Subscriber Certificates > Minimum RSA modulus > "Validity period ending on or before 31 Dec 2013" > 1024 > "Validity period ending after 31 Dec 2013" > 2048 Sure, and BRs Section 13.1.5 says: "The CA SHALL revoke a (Subscriber) Certificate within 24 hours if ... 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements..." Sorry, I should have mentioned that I'm thinking primarily about long-lived certificates that were issued before the BRs became effective. BRs Section 1 says: "Except where explicitly stated otherwise, these requirements apply only to relevant events that occur on or after the Effective Date." Where is it written that <2048-bit certs that predate the BRs need to be revoked by end of 2013? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy