Nelson, I'm in favor of creating requirements for root certs, especially since you can check all the requirements when a root is presented for addition to mozilla. Intermediates will be more problematic, and I would suggest that you not create requirements for intermediates until you've had some time to evaluate how well root cert requirements are working.
Please involve VeriSign and other CAs when coming up with these requirements. There are legitimate business reasons why certain key sizes and algorithms are chosen. For example, we use 2048-bit intermediates as a practice, but we recently learned that a number of cell phones in the Japanese market cannot deal with keys larger than 1024 bits. And it will be a few years before those phones will be replaced with models that can. Likewise with algorithms: We can't issue certs with signatures using SHA-2 until SHA-2 is available much more widely. Doing so at this point would result in certs that would fail with many clients. -Rick > Date: Mon, 30 Apr 2007 07:54:18 -0700 > From: Paul Hoffman <[EMAIL PROTECTED]> > Subject: Re: Amending Mozilla's Root CA cert policy with key size > requirements > To: dev-tech-crypto@lists.mozilla.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" ; format="flowed" > > At 9:39 PM -0700 4/29/07, Nelson Bolyard wrote: > >I propose that we add additional requirements to the policy for root > >CAs that apply for inclusion in mozilla products. I propose that we > >require a minimum key size for the root CA cert *AND* for any > >intermediate CA certs issued by that root CA cert. > > It is good to require that a CA use good security practices, > and the size of the key is a good security practice. For RSA > keys, Given the state of the art in breaking RSA and > differential DSA, a Mozilla policy for 1024 bits is > sufficient for at least five more years, and possibly longer. > We have plenty of time to come up with policies for > requirements for longer keys once the PKI community has a > good story on how to handle root key rollover (which we don't > now). Also, given the state of the art for ECDSA, 256 bits is > just fine for ECDSA certificates. > > Sooooo, while we are making this change, are we going to deal > with hash algorithms used in the CA signatures as well? > > At 12:45 AM -0700 4/30/07, Nelson Bolyard wrote: > >In case it wasn't obvious, I need to state that *it is my > opinion* that > >512 bits is not a reasonable length for an RSA public key to > be used by > >a CA in 2007. > > Agree. > > >I base that opinion on NIST's statement to the effect that even > >1024-bit RSA public keys will not be strong enough beginning > in the year 2010. > > > >See http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf > > I think that is a mischaracterization of the NIST advice. > NIST recommendations are blanket recommendations for the US > Government. In this case, they have to include CA keys which > cannot easily be replaced or rolled-over (think keys burned > into hardware in the > field) and is therefore not directly applicable to roots for Mozilla. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
