On 12/20/13 11:45 AM, Rob Stradling wrote:
To me, "cert revocation" means replying "revoked" via OCSP for that
cert's serial number, and also adding that cert's serial number to the CRL.
I understand that new versions of browsers will stop accepting 1024-bit
certs and that site operators will naturally stop using 1024-bit certs.
But neither stopping using nor stopping accepting are the same thing
as revocation.
My question is simple: Will CAs need to revoke all unexpired 1024-bit
certs by the cut-off date?
If "Yes", where is this requirement written?
If "No", please simply reply "No".
No.
To my knowledge there is not a written requirement for CAs to revoke all
unexpired 1024-bit certs by a cut-off date.
But everyone should keep the following in mind...
https://wiki.mozilla.org/CA:MD5and1024
"All end-entity certificates with RSA key size smaller than 2048 bits
must expire by the end of 2013.
Under no circumstances should any party expect continued support for RSA
key size smaller than 2048 bits past December 31, 2013. This date could
get moved up substantially if necessary to keep our users safe. We
recommend all parties involved in secure transactions on the web move
away from 1024-bit moduli as soon as possible."
Some long-lived certs were issued before the statement was made and
communicated.
Some CAs have needed to re-issue 1024-bit certs that are valid beyond
2013 in order for their customers to maintain operation while
transitioning to new software and hardware that will support 2048-bit
certs. (I am OK with this)
At this point in time, I think the 1024-bit certs will work in Mozilla
products until the April 2014 time frame. But, as per
https://wiki.mozilla.org/CA:MD5and1024, "Mozilla will take these actions
earlier and at its sole discretion if necessary to keep our users safe."
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
