At 11:54 AM -0400 5/1/07, Frank Hecker wrote: >Paul Hoffman wrote: >> At 2:12 PM -0700 4/30/07, Robert Relyea wrote: >>> I don't see a way around the legacy 1024 bit certs, but I would >>> definately want to see wording that will discourage the issuance of >>> new root certs that are less than 2048. >> >> From a cryptographic standpoint, such a policy would not make sense. > >You are correct in the strict sense. '
Thank you. :-) >However IMO getting rid of 1024-bit >certs will not be a one-time event where we remove all such certs, >instead we have to plan for a transitional period as CAs phase out the >use of old root CA certs and start issuing certs under new root CA >certs. Yep. The tricky part will be getting them to agree to phase out their old certs in under five years. OTOH, Firefox is gaining enough traction where if we say "after 2013 all 1024-bit root certs will be banished from the root store", it might get them moving. >During that transition period it makes policy sense (if not >cryptographic sense) to discourage inclusion of new 1024-bit root CA >certs while allowing old ones to remain for a little while longer. > >So if we do change our CA policy to reflect current thinking on modulus >length I think we should do two things: > >1. Stop accepting new 1024-bit CA certs immediately (or at least very soon). Fully agree. > >2. Set a target date (or dates) for removal of legacy 1024-bit CA certs. Fully agree. What about 1536-bit CA certs? This is a serious question. We need to understand whether or not the CAs we care about want this intermediate size for any reason, or if we make the required size after the cutoff to be 2048 bits. Again, while we are at it, how about mandating SHA-246? We can safely assume complete deployment of it within five years. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto