So, to be clear. A 2048 modulus with a 0 high bit is a 2047 bit number (or less)
It usually arises when you use 2 1024 bit primes which "aren't big enough" are someone didn't use full 1024 but primes. If p and q were generated correctly (both with 2 high bits set), then you will always get a full 2048 but modulus. My main reason for rejecting 2047 but moduluses is that the code that generated them want following standard practice so I don't know where else they may have messed up. ----- Peter Bowen <[email protected]> wrote: > > > On Feb 24, 2016, at 11:07 AM, Ryan Sleevi <[email protected]> wrote: > > > > > > On Feb 24, 2016 10:56 AM, "Jeremy Rowley" <[email protected] > > <mailto:[email protected]>> wrote: > > > > > > I’ve been playing around with Peter Bowen’s certlint (an excellent tool) > > > and, looking at the cert universe as a whole, there are some noticeable > > > issues with the BRs and RFC 5280 that I though merited a public CAB Forum > > > discussion. Some of this is likely me not knowing the entire history of > > > 5280, so I appreciated any explanation. If there’s exceptions we would > > > like to make to RFC5280, we should probably also push a bis with IETF at > > > the same time. > > > > > > > > > > > > > > 3) Years ago, we discussed that 2047 bit certs were equivalent to > > > 2048 bit certs (although the discussion may have occurred solely on the > > > Mozilla mailing list). We should codify this exception. > > > > IMO, this is a giant hack that browsers did because CAs have trouble > > counting (see also: serial numbers), which itself is a statement that the > > underlying libraries played a very liberal definition. > > > > I would prefer not. > > > > > > I think there is a misunderstanding here. There has never been a requirement > that the modulus contain a certain number of bits set to ‘1’. What is > required is that the modulus be a 2048-bit number. The problem is that a > 2048-bit number can have one or more of the high order bits being zero. When > calculating the modulus “size”, all an observer can do find the left-most bit > set to ‘1’ and use that. RSA moduli normally are the product of two prime > numbers. OpenSSL and some other generating tools have a function that makes > the top bit of each prime number to be 1 which ensures the result will have > the top bit set to 1. However a random prime could be smaller, resulting in > a smaller results. > > Thanks, > Peter > > > _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
