Bonjour, Le 24 févr. 2016 à 20:31, Peter Bowen <[email protected]<mailto:[email protected]>> a écrit :
On Feb 24, 2016, at 11:07 AM, Ryan Sleevi <[email protected]<mailto:[email protected]>> wrote: On Feb 24, 2016 10:56 AM, "Jeremy Rowley" <[email protected]<mailto:[email protected]>> wrote: > > I’ve been playing around with Peter Bowen’s certlint (an excellent tool) and, > looking at the cert universe as a whole, there are some noticeable issues > with the BRs and RFC 5280 that I though merited a public CAB Forum > discussion. Some of this is likely me not knowing the entire history of > 5280, so I appreciated any explanation. If there’s exceptions we would like > to make to RFC5280, we should probably also push a bis with IETF at the same > time. > > 3) Years ago, we discussed that 2047 bit certs were equivalent to 2048 > bit certs (although the discussion may have occurred solely on the Mozilla > mailing list). We should codify this exception. IMO, this is a giant hack that browsers did because CAs have trouble counting (see also: serial numbers), which itself is a statement that the underlying libraries played a very liberal definition. I would prefer not. I think there is a misunderstanding here. There has never been a requirement that the modulus contain a certain number of bits set to ‘1’. What is required is that the modulus be a 2048-bit number. The problem is that a 2048-bit number can have one or more of the high order bits being zero. When calculating the modulus “size”, all an observer can do find the left-most bit set to ‘1’ and use that. RSA moduli normally are the product of two prime numbers. OpenSSL and some other generating tools have a function that makes the top bit of each prime number to be 1 which ensures the result will have the top bit set to 1. However a random prime could be smaller, resulting in a smaller results. It’s like saying 998 is a 4 digits number whose highest-order digit is set to 0. Cordialement, Erwann Abalea
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
