[cabfpub] Need exception to 1024-bit revocation requirement

[Rick Andrews]

> A very enthusiastic +1.  What possible reason is there for embedded
> devices intended for a dedicated function in a closed business
> ecosystem to be default-trusted as servers on the public Web by every
> browser?

Brad, what I said was "These devices perform the client side of SSL, so there is no browser involved at all." Maybe I wasn't clear. These are client devices that talk on the public internet to web servers, and they expect those web servers to have a 1024-bit cert chaining up to one of the roots in their trust stores. It's true that someone with a browser might come across those servers, but that's not intended. The issue I raise is that if those webservers upgrade to a 2048-bit cert, the devices will no longer be able to connect to them.

> It doesn't seem like it would cause "grave financial harm" for Visa to
> begin trusting a non-public CA when it contacts these devices.  Are the
> devices incapable of being re-provisioned with new certificates from a
> different root, or just using 2048 bit ones?

Visa doesn't contact these devices. These devices contact servers on the public internet. AFAIK, these devices are incapable of performing the client side of SSL if they get back a 2048-bit SSL cert.

I understand the arguments that others have made about the risk to Web PKI. What I'm trying to say is that Web PKI and non-Web PKI have been conflated for some time, and pulling them apart is not going to be easy.

-Rick