[cabfpub] [cabfman] [cabfquest] BR Requirements for 1024-bit Certificates

[Eddy Nigg (StartCom Ltd.)]

On 02/01/2013 10:16 PM, From Ryan Sleevi:
> I would also note that it would seem to favour the incumbent CAs whose
> practices may have been more lax, but more marketable, at the expense
> of newer CAs entering the field and needing to conform to the BRs.

Or those that always had a higher standard and/or policy requirements.

> I realize that, conversely, requiring compliance may come with a cost,
> but I think the whole argument is that the BRs do raise the bar on
> security, and that the cost is justified compared to the risks to
> users and the responsibilities of operating in the public trust.

I think that it should be very clear that NEW (*) certificates must 
confirm to the BR, resulting that nobody should get 1K certificates 
today anymore (excluding certificates that are valid for a shorter 
period than one year).

Of course it would be great if previously issued certificate would be 
replaced and also shortened in their lifetime to the maximum allowed 
validity period. It seems to me that such effort could be done for most 
within the course of almost one year.

(*) Of course it would be easy to issue a certificate today with a 
validity period starting before summer 2012, but lets assume nobody does 
that.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/cdfbab45/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/cdfbab45/attachment.p7s>