[cabfpub] Proposed addition to BRs allowing issuance of <2048
Gervase Markham
gerv at mozilla.org
Fri Jun 14 08:39:19 MST 2013
On 14/06/13 16:16, Eddy Nigg (StartCom Ltd.) wrote:
> Perhaps read the communication preceding your replies where Rick
> explicitly confirmed that they are used on HTTP servers using HTTP over
> SSL/TLS.
But browsers don't talk the protocol they use on top.
>> Er no, a key which gets cracked due to small size can't be used for
>> anything other than impersonating the sites whose names are embedded
>> in it.
>
> Sure, but if that's your argument, why should we care AT ALL which keys
> sizes end-user certificates use then? I mean if Google wants to use 1024
> bit keys let'em, it's only their sites that get compromised. For that
> matter any other site...
Except that we are aiming to protect the browser users who visit Google.
Google is a website designed to be visited by browsers.
In this case, there are no browser users who visit the servers
concerned. It is, I submit, Visa's and the issuing bank's responsibility
to assess the risk of using 1024-bit certificates on those connections,
and ban them when they think they need banning.
>> There's no point talking about "512-bit keys" as a whole, because
>> there's a massive difference between a 512-bit intermediate, which if
>> cracked can issue for any site on the Net, and a 512-bit leaf cert,
>> which if cracked allows someone to imitate only the site for which it
>> was issued.
>
> To all of my knowledge the 512 bit key certificates compromised recently
> were end-user certificates and IIRC Mozilla disabled the CA certificate
> that issued them. No CA certificates were compromised at that time. Can
> you explain the logic to disable that Malaysian CA then?
https://blog.mozilla.org/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
"Nevertheless, given our concerns about the technical practices of this
certificate authority, we intend to revoke trust in the DigiCert Sdn.
Bhd. intermediate certificate authority."
This was clearly a CA which didn't know what it was doing.
Gerv
More information about the Public
mailing list