At 9:39 PM -0700 4/29/07, Nelson Bolyard wrote: >I propose that we add additional requirements to the policy for root CAs >that apply for inclusion in mozilla products. I propose that we require a >minimum key size for the root CA cert *AND* for any intermediate CA certs >issued by that root CA cert.
It is good to require that a CA use good security practices, and the size of the key is a good security practice. For RSA keys, Given the state of the art in breaking RSA and differential DSA, a Mozilla policy for 1024 bits is sufficient for at least five more years, and possibly longer. We have plenty of time to come up with policies for requirements for longer keys once the PKI community has a good story on how to handle root key rollover (which we don't now). Also, given the state of the art for ECDSA, 256 bits is just fine for ECDSA certificates. Sooooo, while we are making this change, are we going to deal with hash algorithms used in the CA signatures as well? At 12:45 AM -0700 4/30/07, Nelson Bolyard wrote: >In case it wasn't obvious, I need to state that *it is my opinion* >that 512 bits is not a reasonable length for an RSA public key >to be used by a CA in 2007. Agree. >I base that opinion on NIST's statement to the effect that even 1024-bit >RSA public keys will not be strong enough beginning in the year 2010. > >See http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf I think that is a mischaracterization of the NIST advice. NIST recommendations are blanket recommendations for the US Government. In this case, they have to include CA keys which cannot easily be replaced or rolled-over (think keys burned into hardware in the field) and is therefore not directly applicable to roots for Mozilla. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto