[cabfpub] BR Requirements for 1024-bit Certificates

Rob Stradling rob.stradling at comodo.com
Thu Jan 31 22:46:14 UTC 2013


:-)

On 31/01/13 22:44, Rick Andrews wrote:
> +1
>
> Our responses crossed in the mail :^)
>
>> -----Original Message-----
>> From: Rob Stradling [mailto:rob.stradling at comodo.com]
>> Sent: Thursday, January 31, 2013 2:43 PM
>> To: public at cabforum.org
>> Cc: Rick Andrews; Eddy Nigg (StartCom Ltd.)
>> Subject: Re: [cabfpub] BR Requirements for 1024-bit Certificates
>>
>> Section "1. Scope" says:
>> "Except where explicitly stated otherwise, these requirements apply
>> only
>> to relevant events that occur on or after the Effective Date."
>>
>> For 1024-bit certs that were issued before the Effective Date and which
>> expire after Dec 31st 2013, what "relevant event...on or after the
>> Effective Date" are we talking about that would cause the BRs to become
>> applicable?
>>
>> (I wouldn't classify "a cert continues to be both unexpired and
>> unrevoked" as an "event").
>>
>> On 31/01/13 22:29, Rick Andrews wrote:
>>> We support changing the date in the BR, as we have tens of thousands
>> of
>>> such certs, many issued long before the BR was enacted. It would be
>>> extremely disruptive to many of our customers to replace them early.
>>>
>>> I agree that we don't want to wait until the catastrophe arrives, but
>>> AFAIK the largest number factored was less than 800 bits. Factoring a
>>> 1024-bit number is far, far more difficult. If there is consensus for
>> a
>>> ballot, I would endorse it.
>>>
>>> -Rick
>>>
>>> *From:*public-bounces at cabforum.org [mailto:public-
>> bounces at cabforum.org]
>>> *On Behalf Of *Eddy Nigg (StartCom Ltd.)
>>> *Sent:* Thursday, January 31, 2013 2:12 PM
>>> *To:* public at cabforum.org
>>> *Subject:* Re: [cabfpub] BR Requirements for 1024-bit Certificates
>>>
>>>
>>> On 01/31/2013 11:58 PM, From Wayne Thayer:
>>>
>>> I'm not yet aware of any known practical brute force attack on 1024
>> bit
>>> RSA keys.  On the other hand, it is clear that there will be a major
>>> impact on existing SSL sites as CAs work to rekey 10's of thousands
>> of
>>> certificates this year.  I'd like to propose that we extend the
>> deadline
>>> in the BRs for revoking existing certs with 1024 bit keys pending
>>> further evidence of a practical vulnerability.  Do others support
>> this
>>> change?
>>>
>>>
>>> No, at least we don't - those that took steps to ensure adequate keys
>>> sizes in the past were at a disadvantage when refusing to sign
>>> certificate with smaller keys. Today with the BR in place, the same
>>> rules are applied throughout the industry and I don't consider it a
>> good
>>> idea to roll back on this (and other issues) which we finally nailed
>> down.
>>>
>>> Additionally we don't have to wait for the catastrophe to arrive in
>>> order to take actions, we really should be at least a half-step
>> ahead.
>>>
>>> Finally do I consider a promise to revoke such certificates in
>> December
>>> 2013 not compliant to the BR - and probably also not to some of the
>>> software vendors requirements if I recall correctly. So your
>> statement
>>> is correct, that as of today there shouldn't be any certificates with
>> a
>>> validity of a year and more with 1024 bit keys.
>>>
>>> Regards
>>>
>>> Signer:
>>>
>>>
>>>
>>> Eddy Nigg, COO/CTO
>>>
>>>
>>>
>>> StartCom Ltd. <http://www.startcom.org>
>>>
>>> XMPP:
>>>
>>>
>>>
>>> startcom at startcom.org <xmpp:startcom at startcom.org>
>>>
>>> Blog:
>>>
>>>
>>>
>>> Join the Revolution! <http://blog.startcom.org>
>>>
>>> Twitter:
>>>
>>>
>>>
>>> Follow Me <http://twitter.com/eddy_nigg>
>>>
>>>
>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>>
>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>> Office Tel: +44.(0)1274.730505
>> Office Fax: +44.(0)1274.730909
>> www.comodo.com
>>
>> COMODO CA Limited, Registered in England No. 04058690
>> Registered Office:
>>     3rd Floor, 26 Office Village, Exchange Quay,
>>     Trafford Road, Salford, Manchester M5 3EQ
>>
>> This e-mail and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they
>> are
>> addressed.  If you have received this email in error please notify the
>> sender by replying to the e-mail containing this attachment. Replies to
>> this email may be monitored by COMODO for operational or business
>> reasons. Whilst every endeavour is taken to ensure that e-mails are
>> free
>> from viruses, no liability can be accepted and the recipient is
>> requested to use their own virus checking software.
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.



More information about the Public mailing list