On Mon, Aug 4, 2014 at 7:03 AM, Hubert Kario <[email protected]> wrote: > it has limited effect on overall security of connection (if we assume 80 bit > level of security for both SHA1 and 1024 bit RSA and ignore signature > algorithm on the root certs):
Hi Hubert, Thanks for doing that. Note that because 1024-bit-to-2048-bit cross-signing certificates exist for many CAs, removal of the these roots alone isn't going to have a big effect on its own. Instead, removal of these roots is a stepping stone. The next step is to stop accepting <2048-bit *intermediate* CA certificates from the built-in trust anchors, even if they chain to a trusted >=2048-bit root. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
