[cabfpub] To revoke or not to revoke 1024

Rick Andrews Rick_Andrews at symantec.com
Sun Jun 23 19:32:29 UTC 2013

We discussed this a bit in our face-to-face meeting in Munich, but did not reach consensus. I'd like to continue the conversation with all via the list.

Putting aside the question of "web pki" vs. "non-web pki", Symantec and other CAs would like to see if we can achieve consensus on these questions:

1)      Do CAs need to revoke 1024-bit end-entity certs by the end of 2013?
a.      I believe that some CAs believed that revoking such certs was mandatory. However, I see no hard evidence of that.
b.      The BRs say that 1024-bit can be issued as long as the end date is before December 31, 2013. Others have said that a CA that was compliant with the BRs would not have issued a 1024-bit end entity cert after the effective date if its end date was 2014 or later. However, we've seen that not all CAs became compliant on July 1, 2012. Given what we now know about audits and effective dates, it seems to me that there is a lot of uncertainty here.
c.      Apart from the BRs, CAs have to consider browser policy which may go above and beyond the BRs. In a private conversation with Tom Albertson of Microsoft, he told me that "Our policy doesn't contemplate CAs revoking EE certs issued before 1 Jan 2014, unless or until an RSA factoring attack is imminent, and we all go into response mode." Mozilla's policy seems to be similar - it says that such certs must expire by January 1, 2014, but it does not mandate that CAs revoke any such certs that would live beyond that date.
d.      If there is no clear direction here, I propose that CAs simply let all 1024-bit end entity certs expire naturally, as long as the CA has stopped issuing 1024-bit end entity certs, and made an honest effort to comply with the BRs (hard to define, but at the very least would mean that the CA wasn't still issuing multi-year 1024-bit certs in 2013).
2)      Since the BRs effectively cover only certs issued after "the effective date", does that mean that certs issued before "the effective date" don't need to be revoked?
a.      That is my interpretation. Given what I said in 1) above, even those certs issued after the effective date don't need to be revoked, unless some browser's policy mandates that action.
3)      What about code signing certs?
a.      The BRs don't cover non-EV code signing certs, so again this goes back to browser policy. And unless some browser comes forth with unambiguous policy on code signing certs, I would suggest they are also off the table (do not need to be revoked).

Please comment, especially browser vendors. Thanks,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130623/952744a9/attachment-0002.html>

More information about the Public mailing list