Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
Matt Crawford writes: >EE = End Entity, but I don't read the first sentence the way Peter did. As I mentioned in my previous followup, it's badly worded, but the intent is to ban any keys < 2K bits of any kind (currently with evolving weasel-words about letting CAs certify them up to 2013 or so if the user begs really hard). Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
Victor Duchovni writes: >What are "EE certs", did you mean "EV"? End-entity certs, i.e. non-CA certs. This means that potentially after the end of this year and definitely after 2013 it will not be possible to use any key shorted than 2048 bits with Firefox. Anyone using, for example, an embedded device adminstered via SSL will have to use another browser. >From the discussion on the Mozilla policy list I get the impression that this move has been given pretty much zero thought beyond "we need to do what NIST wants". Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 01:32:00PM -0500, Matt Crawford wrote: > > That is, if your CA key size is smaller, stop signing with it. You may have missed the next sentence of Mozilla's statement: > All CAs should stop issuing intermediate and end-entity certificates with > RSA key size smaller than 2048 bits under any root. That is, no matter how long your root key is (the previous sentence stated the requirements about _that_) you may not use it to sign any end-entity certificate whose key size is < 2048 bits. Gun: check. Bullets: check. Feet: check. Now they have everything they need to prevent HTTPS Everywhere. Thor - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, 6 Oct 2010, Matt Crawford wrote: [[...]] I found it amusing that this message was accompanied by an S/MIME certificate which my mail client (alpine) was unable to verify, resulting in the error messages [Couldn't verify S/MIME signature: certificate verify error] [ This message was cryptographically signed but the signature ] [ could not be verified. ] ciao, -- -- "Jonathan Thornburg [remove -animal to reply]" Dept of Astronomy, Indiana University, Bloomington, Indiana, USA "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
Jack Lloyd writes: > On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > >> Right, because the problem with commercial PKI is all those attackers who are >> factoring 1024-bit moduli, and apart from that every other bit of it works >> perfectly. > > _If_ Mozilla and the other browser vendors actually go through with > removing all <2048 bit CA certs (which I doubt will happen because I > suspect most CAs will completely ignore this), it would have one > tangible benefit: > > (Some of, though unfortunately not nearly all) the old CA certificates > that have been floating around since the dawn of time (ie the mid-late > 90s), often with poor chains of custody through multiple iterations of > bankruptcies, firesale auctions, mergers, acquisitions, and so on, > will die around 2015 instead of their current expirations of > 2020-2038. Sadly this will only kill about 1/3 of the 124 (!!) > trusted roots Mozilla includes by default. Another consequence is that people will explore moving to ECC, which is less studied than RSA and appears to be a patent mine-field. As much as I'd like to get rid of old hard coded CAs in commonly used software, I feel there are better ways to achieve that than a policy like this. /Simon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote: > On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > >> From https://wiki.mozilla.org/CA:MD5and1024: >> >> December 31, 2010 - CAs should stop issuing intermediate and end-entity >> certificates from roots with RSA key sizes smaller than 2048 bits [0]. All >> CAs should stop issuing intermediate and end-entity certificates with RSA >> key size smaller than 2048 bits under any root. >> >> [...] >> >> [0] This is ambiguously worded, but it's talking about key sizes in EE certs. > > What are "EE certs", did you mean "EV"? EE = End Entity, but I don't read the first sentence the way Peter did. I parse it as >> CAs should stop issuing (intermediate and end-entity >> certificates) from (roots with RSA key sizes smaller than 2048 bits). That is, if your CA key size is smaller, stop signing with it. Of course, if it's important to stop signing with it, it's equally important to revoke all signatures already made. smime.p7s Description: S/MIME cryptographic signature
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > From https://wiki.mozilla.org/CA:MD5and1024: > > December 31, 2010 - CAs should stop issuing intermediate and end-entity > certificates from roots with RSA key sizes smaller than 2048 bits [0]. All > CAs should stop issuing intermediate and end-entity certificates with RSA > key size smaller than 2048 bits under any root. > > [...] > > Right, because the problem with commercial PKI is all those attackers who are > factoring 1024-bit moduli, and apart from that every other bit of it works > perfectly. > > Peter. > > [0] This is ambiguously worded, but it's talking about key sizes in EE certs. What are "EE certs", did you mean "EV"? -- Viktor. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > Right, because the problem with commercial PKI is all those attackers who are > factoring 1024-bit moduli, and apart from that every other bit of it works > perfectly. _If_ Mozilla and the other browser vendors actually go through with removing all <2048 bit CA certs (which I doubt will happen because I suspect most CAs will completely ignore this), it would have one tangible benefit: (Some of, though unfortunately not nearly all) the old CA certificates that have been floating around since the dawn of time (ie the mid-late 90s), often with poor chains of custody through multiple iterations of bankruptcies, firesale auctions, mergers, acquisitions, and so on, will die around 2015 instead of their current expirations of 2020-2038. Sadly this will only kill about 1/3 of the 124 (!!) trusted roots Mozilla includes by default. -Jack - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Formal notice given of rearrangement of deck chairs on RMS PKItanic
>From https://wiki.mozilla.org/CA:MD5and1024: December 31, 2010 - CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits [0]. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root. Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible. Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. Peter. [0] This is ambiguously worded, but it's talking about key sizes in EE certs. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com