[cabfpub] Need exception to 1024-bit revocation requirement

Geoff Keating geoffk at apple.com
Thu Jun 6 13:51:51 MST 2013 

On 06/06/2013, at 12:36 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:

> It’s come to our attention that we’ve issued 1024-bit SSL certs to customers that use them with what are called “pre-PCI POS PIN acceptance devices”, and that those devices are incapable of working with a 2048-bit key. VISA has stated that those devices may be used until December 31, 2014 (see http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDcQFjAA&url=http%3A%2F%2Fusa.visa.com%2Fdownload%2Fmerchants%2Fretirement-of-pre-pci-attended-pos-pin-entry-devices.pdf&ei=Nd6wUaa2ForXigKb-4BY&usg=AFQjCNHtHptM1jQudRTl8pnMx-MKC7z6fw&sig2=ItouLeVwv8wkQYGpi9nPVQ&bvm=bv.47534661,d.cGE) , and our customers feel that revoking them will cause grave financial harm.
>  
> These devices perform the client side of SSL, so there is no browser involved at all. It’s unfortunate that these certs chain up to public roots and are therefore subject to Baseline Requirements, but I believe that it was standard practice for CAs to issue all SSL certs from their public roots. In many cases we didn’t even know that the customer was using them with a device and not a browser.
>  
> Therefore I feel we need an exception to not revoke 1024-bit certs that we determine are used by these devices. Given the environment in which they are used, and given that VISA is forcing customers to phase these out, I feel it would be very low risk to simply let these certs live until their expiration.
>  
> I welcome your comments.

Could you clarify: Are these certificates issued as SSL server certificates?  If so, for which server are they issued? Do they have an extendedKeyUsage field?

If they have an extendedKeyUsage field which has id-kp-clientAuth and does not have id-kp-serverAuth, then I believe the BRs aren't intended to apply, because they're not server certificates.

I also have another question: What 1024-bit revocation requirement?  You can't issue new 1024-bit certificates but I don't remember anyone saying that 1024-bit certificates existing before the BRs took effect should be revoked...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130606/133841df/attachment.bin

More information about the Public mailing list