[cabfpub] Need exception to 1024-bit revocation requirement

Gervase Markham gerv at mozilla.org
Fri Jun 7 10:10:38 UTC 2013

On 06/06/13 22:51, Ryan Sleevi wrote:
> Thanks for confirming that these certs do present possible risk to
> the Web PKI and the users that rely upon it.

Can we evaluate that risk for a moment?

AIUI, the situation is that there are Visa or bank-owned servers out
there to which these devices connect using an SSL connection, and the
devices require a 1024-bit server cert.

(Rick: have you checked whether they can deal with 1536 or some other
intermediate size?)

The risk is that 1024-bit certs become factorable. If that happens, then
attackers would be able to break into these connections and steal the
credit card data of customers purchasing from merchants who are still
using these terminals. This is not a risk to web users in the course of
their using the web, but a risk to those customers.

This risk is greater than it should be for 1 year - the time between the
BR 1024-bit deadline and Visa's deadline before which these merchants
will have needed to buy new equipment anyway.

Requiring the certs be revoked basically means telling Visa that it will
need to change the deadline from Dec 31st 2014 to Dec 31st 2013 - in
other words, businesses who thought they had 18 months to replace their
equipment now have 6. Businesses have been working towards the current
Visa deadline for 3 years.

Have I got this right so far?


More information about the Public mailing list