[cabfpub] BR Requirements for 1024-bit Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Jan 31 22:11:30 UTC 2013


On 01/31/2013 11:58 PM, From Wayne Thayer:
>
> I'm not yet aware of any known practical brute force attack on 1024 
> bit RSA keys.  On the other hand, it is clear that there will be a 
> major impact on existing SSL sites as CAs work to rekey 10's of 
> thousands of certificates this year.  I'd like to propose that we 
> extend the deadline in the BRs for revoking existing certs with 1024 
> bit keys pending further evidence of a practical vulnerability.  Do 
> others support this change?

No, at least we don't - those that took steps to ensure adequate keys 
sizes in the past were at a disadvantage when refusing to sign 
certificate with smaller keys. Today with the BR in place, the same 
rules are applied throughout the industry and I don't consider it a good 
idea to roll back on this (and other issues) which we finally nailed down.

Additionally we don't have to wait for the catastrophe to arrive in 
order to take actions, we really should be at least a half-step ahead.

Finally do I consider a promise to revoke such certificates in December 
2013 not compliant to the BR - and probably also not to some of the 
software vendors requirements if I recall correctly. So your statement 
is correct, that as of today there shouldn't be any certificates with a 
validity of a year and more with 1024 bit keys.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/4c56519d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130201/4c56519d/attachment-0001.p7s>


More information about the Public mailing list