I think getting them revoked would be the first step. If you make the data available about which CAs still have 1024 bit certs or lower, we could email the CAs and find out what is going on.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx Sent: Saturday, June 21, 2014 10:15 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Only accepting 2048 bit or better certificates Hi, The CA/B baseline requirement say that all RSA keys that are used since since 1 january 2014 should have been at least 2048 bit. All shorter than 2048 should have either expired or been revoked by that date. But it's still not the case. We're currently around 0.24% of the certificates that are being seen on the internet that still are too short. I've made a graph of the progress of this at which you can see at: http://www.roeckx.be/certificates/rsa_small_zoom.png If I do a linear interpolation of the last 3 months it looks like we might end up with 0% around January 2015, only 1 year after it was supposed to be the case. I hope the current trend stays that way. But I would like to start enforcing the 2048 bit as soon as possible. Do we have some criteria for at which point we're willing to break compatibility? There are still a few new certificates generated with 1024 bits. I've been filing bugs about those and there were only a few so far this month. Maybe we can set a date from which we won't be accepting certificates with a smaller than 2048 bit key generated after that date? Should I put an effort into trying to get those certificates that are still seen revoked? Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy