Re: Exceptions to 1024-bit cert revocation requirement

2013-12-20 Thread Kathleen Wilson 

On 12/13/13 4:03 AM, Rob Stradling wrote:

On 12/12/13 01:08, fhw...@gmail.com wrote:

That's the great part about this, Rob, you don't actually have to revoke
anything.‎


Peter, thanks for sharing your interpretation.  What concerns me is that
the same interpretation is not shared by everyone.

I don't really care whether or not these certs need to be revoked by the
end of 2013.  What I am concerned about is the possibility that CAs
might be reprimanded because they failed to follow an unwritten rule!



In my opinion, it is OK for CAs to take a little more time to finish 
transitioning their existing customers off of 1024-bit certs.






The certs will just stop working at some point.


Correct.




I'm being somewhat facetious but ‎that's really the bottom line. Perhaps
we should not use the word revocation here because in a strict technical
sense that's not what will happen and nor is revocation really necessary.




CAs have been transitioning their customers off of 1024-bit certs, 
because they don't want their customers to suddenly have their certs 
stop working.


Some of those customers are coming back and saying that they need more 
time for various reasons (often having to do with the hardware that 
they're using).


The April 2014 time frame seems to be when most customers can complete 
their migration off of 1024-bit certs. I'm OK with that.


Kathleen



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Exceptions to 1024-bit cert revocation requirement

2013-12-20 Thread Rob Stradling 

On 20/12/13 17:40, Kathleen Wilson wrote:

On 12/13/13 4:03 AM, Rob Stradling wrote:

On 12/12/13 01:08, fhw...@gmail.com wrote:

That's the great part about this, Rob, you don't actually have to revoke
anything.‎


Peter, thanks for sharing your interpretation.  What concerns me is that
the same interpretation is not shared by everyone.

I don't really care whether or not these certs need to be revoked by the
end of 2013.  What I am concerned about is the possibility that CAs
might be reprimanded because they failed to follow an unwritten rule!



In my opinion, it is OK for CAs to take a little more time to finish
transitioning their existing customers off of 1024-bit certs.


Kathleen, perhaps I'm still failing to express my concern clearly.

I am trying to understand exactly what you mean by 1024-bit cert 
revocation requirement.


To me, cert revocation means replying revoked via OCSP for that 
cert's serial number, and also adding that cert's serial number to the CRL.


I understand that new versions of browsers will stop accepting 1024-bit 
certs and that site operators will naturally stop using 1024-bit certs. 
 But neither stopping using nor stopping accepting are the same thing 
as revocation.


My question is simple: Will CAs need to revoke all unexpired 1024-bit 
certs by the cut-off date?


If Yes, where is this requirement written?

If No, please simply reply No.

Thanks.

snip

--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy