[cabfpub] Need exception to 1024-bit revocation requirement

Geoff Keating geoffk at apple.com
Thu Jun 6 21:24:19 UTC 2013

On 06/06/2013, at 1:56 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:

> they're regular SSL certs consumed by non-browser devices.
>> I also have another question: What 1024-bit revocation requirement?
>> You can't issue new 1024-bit certificates but I don't remember anyone
>> saying that 1024-bit certificates existing before the BRs took effect
>> should be revoked...
> Appendix A of the Baseline Requirements says that 2048 bits is the minimum
> RSA modulus size for Subscriber certificates with Validity Period ending
> after 31 Dec 2013. This implies that any SSL certs with keys less than 2048
> bits with validity extending into 2014 and beyond must be revoked by the end
> of this year.

I don't read it that way.

We agreed that certificates issued before the BRs came into force are not required to be revoked just because they don't comply with the BRs.  Otherwise CAs would have had to revoke many certificates on the first day.

For certificates issued after the BRs took effect: The Validity Period is defined as the time between issuance and the expiry date in the certificate.  Revocation does not change it.  The BRs do not allow issuance of 1024-bit certificates with a later expiration date than 31 Dec 2013, even if the plan is to revoke them on or before that date.  In principle, if any such certificates were issued, they should be revoked within 24 hours (of realising they were misissued) under 13.1.5 paragraph 8.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130606/c722eaa8/attachment-0001.p7s>

More information about the Public mailing list