[cabfpub] BR Requirements for 1024-bit Certificates

i-barreira at izenpe.net i-barreira at izenpe.net
Fri Feb 1 07:48:34 UTC 2013

Agree with Eddy. It will happen the same that occured with the EV, that when the end date came, some CAs were still using 1K lenght certs, after a year as we discussed in the last Scottsdale meeting. 



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Eddy Nigg (StartCom Ltd.)
Enviado el: jueves, 31 de enero de 2013 23:12
Para: public at cabforum.org
Asunto: Re: [cabfpub] BR Requirements for 1024-bit Certificates


On 01/31/2013 11:58 PM, From Wayne Thayer: 


I'm not yet aware of any known practical brute force attack on 1024 bit RSA keys.  On the other hand, it is clear that there will be a major impact on existing SSL sites as CAs work to rekey 10's of thousands of certificates this year.  I'd like to propose that we extend the deadline in the BRs for revoking existing certs with 1024 bit keys pending further evidence of a practical vulnerability.  Do others support this change?

No, at least we don't - those that took steps to ensure adequate keys sizes in the past were at a disadvantage when refusing to sign certificate with smaller keys. Today with the BR in place, the same rules are applied throughout the industry and I don't consider it a good idea to roll back on this (and other issues) which we finally nailed down.

Additionally we don't have to wait for the catastrophe to arrive in order to take actions, we really should be at least a half-step ahead.

Finally do I consider a promise to revoke such certificates in December 2013 not compliant to the BR - and probably also not to some of the software vendors requirements if I recall correctly. So your statement is correct, that as of today there shouldn't be any certificates with a validity of a year and more with 1024 bit keys.




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/08eaac7a/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/08eaac7a/attachment-0002.png>

More information about the Public mailing list