<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>An additional complication with this requirement is multiple certification paths: if an old (2048 RSA) root signs a new (3072 or greater RSA) root and code signing certificates are issued after 2020 that chain to the new root, then they will also transitively chain to the old root. Therefore, there will be a certificate in the path with a key size that is not acceptable.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Given this, do cross-signs need to be revoked, or will the Code Signing EKU (in terms of the Microsoft root program) be automatically removed from all roots that no longer have acceptable key sizes, or something else?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Doug Beattie via Cscwg-public<br><b>Sent:</b> Thursday, September 3, 2020 4:36 PM<br><b>To:</b> Dean Coclin <dean.coclin@digicert.com>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] Code Signing Key Size changes<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Add to further Dean’s note, this applies to all certificates in the chain from the root down, so if you need a new subordinate CA you had better get started on that.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dean Coclin via Cscwg-public<br><b>Sent:</b> Thursday, September 3, 2020 4:16 PM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Code Signing Key Size changes<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m not sure if everyone is aware that minimum key sizes are going to change soon.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The Code Signing BRs specify that certs issued after Jan 1, 2021 must have 3072 RSA keys (vs the current 2048). This has been in there for a while, but I fear that customers may not be prepared as it has not been well advertised.<o:p></o:p></p><p class=MsoNormal>In addition, making changes at the beginning of January is always risky due to holidays, shutdowns, freezes, etc. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m wondering if there is any appetite to move this to April or May 2021? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dean<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>