[Cscwg-public] Code Signing Key Size changes

Corey Bonnell CBonnell at securetrust.com
Thu Sep 3 14:30:01 MST 2020

An additional complication with this requirement is multiple certification paths: if an old (2048 RSA) root signs a new (3072 or greater RSA) root and code signing certificates are issued after 2020 that chain to the new root, then they will also transitively chain to the old root. Therefore, there will be a certificate in the path with a key size that is not acceptable.


Given this, do cross-signs need to be revoked, or will the Code Signing EKU (in terms of the Microsoft root program) be automatically removed from all roots that no longer have acceptable key sizes, or something else?


From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Doug Beattie via Cscwg-public
Sent: Thursday, September 3, 2020 4:36 PM
To: Dean Coclin <dean.coclin at digicert.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Code Signing Key Size changes


Add to further Dean’s note, this applies to all certificates in the chain from the root down, so if you need a new subordinate CA you had better get started on that.


From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Dean Coclin via Cscwg-public
Sent: Thursday, September 3, 2020 4:16 PM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [Cscwg-public] Code Signing Key Size changes


I’m not sure if everyone is aware that minimum key sizes are going to change soon.


The Code Signing BRs specify that certs issued after Jan 1, 2021 must have 3072 RSA keys (vs the current 2048). This has been in there for a while, but I fear that customers may not be prepared as it has not been well advertised.

In addition, making changes at the beginning of January is always risky due to holidays, shutdowns, freezes, etc. 


I’m wondering if there is any appetite to move this to April or May 2021? 






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200903/2b41e062/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4947 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200903/2b41e062/attachment.p7s>

More information about the Cscwg-public mailing list