On 6/21/2014 11:37 AM, Jeremy Rowley wrote: > I think getting them revoked would be the first step. If you make the data > available about which CAs still have 1024 bit certs or lower, we could email > the CAs and find out what is going on. > > Jeremy > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Kurt Roeckx > Sent: Saturday, June 21, 2014 10:15 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Only accepting 2048 bit or better certificates > > Hi, > > The CA/B baseline requirement say that all RSA keys that are used since > since 1 january 2014 should have been at least 2048 bit. > All shorter than 2048 should have either expired or been revoked by that > date. But it's still not the case. We're currently around 0.24% of the > certificates that are being seen on the internet that still are too short. > > I've made a graph of the progress of this at which you can see at: > http://www.roeckx.be/certificates/rsa_small_zoom.png > > If I do a linear interpolation of the last 3 months it looks like we might > end up with 0% around January 2015, only 1 year after it was supposed to be > the case. I hope the current trend stays that way. > > But I would like to start enforcing the 2048 bit as soon as possible. Do we > have some criteria for at which point we're willing to break compatibility? > > There are still a few new certificates generated with 1024 bits. > I've been filing bugs about those and there were only a few so far this > month. Maybe we can set a date from which we won't be accepting > certificates with a smaller than 2048 bit key generated after that date? > > Should I put an effort into trying to get those certificates that are still > seen revoked?
Bug reports have been filed for each non-complying root certificate. See the following bugs: 1015767, 1015770, 1015771, 1015772, 1015773, 1026128, and 1026741. -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
