[cabfpub] Need exception to 1024-bit revocation requirement

Rick Andrews Rick_Andrews at symantec.com
Thu Jun 6 20:56:14 UTC 2013


> Could you clarify: Are these certificates issued as SSL server
> certificates?  If so, for which server are they issued? Do they have an
> extendedKeyUsage field?

They are SSL certs. I haven't examined them all yet, but I suspect they all
have an EKU with clientAuth and serverAuth.

> If they have an extendedKeyUsage field which has id-kp-clientAuth and
> does not have id-kp-serverAuth, then I believe the BRs aren't intended
> to apply, because they're not server certificates.

They have both; they're regular SSL certs consumed by non-browser devices.

> I also have another question: What 1024-bit revocation requirement?
> You can't issue new 1024-bit certificates but I don't remember anyone
> saying that 1024-bit certificates existing before the BRs took effect
> should be revoked...

Appendix A of the Baseline Requirements says that 2048 bits is the minimum
RSA modulus size for Subscriber certificates with Validity Period ending
after 31 Dec 2013. This implies that any SSL certs with keys less than 2048
bits with validity extending into 2014 and beyond must be revoked by the end
of this year.

-Rick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6085 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130606/2a3391ec/attachment-0003.bin>


More information about the Public mailing list