[cabfpub] Need exception to 1024-bit revocation requirement

Geoff Keating geoffk at apple.com
Thu Jun 6 22:44:52 UTC 2013

On 06/06/2013, at 3:20 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:

> Brad, what I said was "These devices perform the client side of SSL, so there is no browser involved at all." Maybe I wasn't clear. These are client devices that talk on the public internet to web servers, and they expect those web servers to have a 1024-bit cert chaining up to one of the roots in their trust stores. It's true that someone with a browser might come across those servers, but that's not intended. The issue I raise is that if those webservers upgrade to a 2048-bit cert, the devices will no longer be able to connect to them.

I see! Sorry I didn't understand this from what you said before.

This now sounds a lot like previously discussed situations, for example the one which prompted section 12 paragraph 5 (direct issuance from a root CA).

Are the roots these devices support 1024-bit roots, perchance?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130606/759ee834/attachment-0001.p7s>

More information about the Public mailing list