[cabfpub] BR Requirements for 1024-bit Certificates
Rick Andrews
Rick_Andrews at symantec.com
Thu Jan 31 22:44:55 UTC 2013
+1
Our responses crossed in the mail :^)
> -----Original Message-----
> From: Rob Stradling [mailto:rob.stradling at comodo.com]
> Sent: Thursday, January 31, 2013 2:43 PM
> To: public at cabforum.org
> Cc: Rick Andrews; Eddy Nigg (StartCom Ltd.)
> Subject: Re: [cabfpub] BR Requirements for 1024-bit Certificates
>
> Section "1. Scope" says:
> "Except where explicitly stated otherwise, these requirements apply
> only
> to relevant events that occur on or after the Effective Date."
>
> For 1024-bit certs that were issued before the Effective Date and which
> expire after Dec 31st 2013, what "relevant event...on or after the
> Effective Date" are we talking about that would cause the BRs to become
> applicable?
>
> (I wouldn't classify "a cert continues to be both unexpired and
> unrevoked" as an "event").
>
> On 31/01/13 22:29, Rick Andrews wrote:
> > We support changing the date in the BR, as we have tens of thousands
> of
> > such certs, many issued long before the BR was enacted. It would be
> > extremely disruptive to many of our customers to replace them early.
> >
> > I agree that we don't want to wait until the catastrophe arrives, but
> > AFAIK the largest number factored was less than 800 bits. Factoring a
> > 1024-bit number is far, far more difficult. If there is consensus for
> a
> > ballot, I would endorse it.
> >
> > -Rick
> >
> > *From:*public-bounces at cabforum.org [mailto:public-
> bounces at cabforum.org]
> > *On Behalf Of *Eddy Nigg (StartCom Ltd.)
> > *Sent:* Thursday, January 31, 2013 2:12 PM
> > *To:* public at cabforum.org
> > *Subject:* Re: [cabfpub] BR Requirements for 1024-bit Certificates
> >
> >
> > On 01/31/2013 11:58 PM, From Wayne Thayer:
> >
> > I'm not yet aware of any known practical brute force attack on 1024
> bit
> > RSA keys. On the other hand, it is clear that there will be a major
> > impact on existing SSL sites as CAs work to rekey 10's of thousands
> of
> > certificates this year. I'd like to propose that we extend the
> deadline
> > in the BRs for revoking existing certs with 1024 bit keys pending
> > further evidence of a practical vulnerability. Do others support
> this
> > change?
> >
> >
> > No, at least we don't - those that took steps to ensure adequate keys
> > sizes in the past were at a disadvantage when refusing to sign
> > certificate with smaller keys. Today with the BR in place, the same
> > rules are applied throughout the industry and I don't consider it a
> good
> > idea to roll back on this (and other issues) which we finally nailed
> down.
> >
> > Additionally we don't have to wait for the catastrophe to arrive in
> > order to take actions, we really should be at least a half-step
> ahead.
> >
> > Finally do I consider a promise to revoke such certificates in
> December
> > 2013 not compliant to the BR - and probably also not to some of the
> > software vendors requirements if I recall correctly. So your
> statement
> > is correct, that as of today there shouldn't be any certificates with
> a
> > validity of a year and more with 1024 bit keys.
> >
> > Regards
> >
> > Signer:
> >
> >
> >
> > Eddy Nigg, COO/CTO
> >
> >
> >
> > StartCom Ltd. <http://www.startcom.org>
> >
> > XMPP:
> >
> >
> >
> > startcom at startcom.org <xmpp:startcom at startcom.org>
> >
> > Blog:
> >
> >
> >
> > Join the Revolution! <http://blog.startcom.org>
> >
> > Twitter:
> >
> >
> >
> > Follow Me <http://twitter.com/eddy_nigg>
> >
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
> 3rd Floor, 26 Office Village, Exchange Quay,
> Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are
> addressed. If you have received this email in error please notify the
> sender by replying to the e-mail containing this attachment. Replies to
> this email may be monitored by COMODO for operational or business
> reasons. Whilst every endeavour is taken to ensure that e-mails are
> free
> from viruses, no liability can be accepted and the recipient is
> requested to use their own virus checking software.
More information about the Public
mailing list