----- Original Message ----- > From: "Brian Smith" <[email protected]> > To: "Kai Engert" <[email protected]> > Cc: [email protected] > Sent: Wednesday, 30 July, 2014 11:02:46 PM > Subject: Re: Removal of 1024 bit CA roots - interoperability > > On Mon, Jul 28, 2014 at 12:05 PM, Kai Engert <[email protected]> wrote: > > On Mon, 2014-07-28 at 21:02 +0200, Kai Engert wrote: > >> On Mon, 2014-07-28 at 11:00 -0700, Brian Smith wrote: > >> > I suggest that, instead of including the cross-signing certificates in > >> > the NSS certificate database, the mozilla::pkix code should be changed > >> > to look up those certificates when attempting to find them through NSS > >> > fails. > >> > >> We are looking for a way to fix all applications that use NSS, not just > >> Firefox. Only Firefox uses the mozilla::pkix library. > > > > Actually, including intermediates in the Mozilla root CA list should > > even help applications that use other crypto toolkits (not just NSS). > > It depends on your definition of "help." I assume the goal is to > encourage websites to migrate from 1024-bit signatures to RSA-2048-bit > or ECDSA-P-256 signatures. If so, then including the intermediates in > NSS so that all NSS-based applications can use them will be > counterproductive to the goal, because when the system administrator > is testing his server using those other NSS-based tools, he will not > notice that he is depending on 1024-bit certificates (cross-signed or > root) because everything will work fine.
The point is not to ship a 1024 bit cert, the point is to ship a 2048 bit cert. So for sites that present a chain like this: 2048 bit host cert <- 2048 bit old sub CA <- 1024 bit root CA we can find a certificate chain like this: 2048 bit host cert <- 2048 bit new cross-signed sub CA <- 2048 bit root CA where the cross-signed sub CA is shipped by NSS -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
