[cabfpub] Need exception to 1024-bit revocation requirement

Phillip philliph at comodo.com
Fri Jun 7 17:48:22 UTC 2013


Yes, the CAs have a need for exemptions from the browser providers.

My point was that this is an issue that the browser providers have control over. Or at least the ones that update their code automatically. 

If it is known with confidence that Google Chrome and/or Firefox is going to croak on a 1024 bit cert at a date certain then nobody is going to want to use them for Web browsing type purposes. Only the people that have a serious need for them are going to continue. CAs are going to continue to want to move their customers off the 1024 bit certs or face a major support issue on new years day.


I guess that part of the reason we are here is that there is a structural asymmetry in this game. CAs need to get the approval of browsers but browsers don't need to get approval from CAs. So CABForum requirements are all phrased as CA requirements even if they would be more appropriately enforced by the browsers.

Of course the browsers don't want to turn off 1024 bit certs without knowing this is going to have minimal impact so they do need some effort by the CAs but they have the primary ability to protect their users of current browsers.




On Jun 7, 2013, at 12:29 PM, Rick Andrews wrote:

> The problem is that any CA that has issued such SSL certs to such non-web PKI applications, and needs to continue to issue them for business continuity, will fail their audit and will have to engage in a discussion with each trust store owner to convince them to retain their roots. 
> 
> It's not just us and its not just this particular usage. Other CAs have the same issue. 
> 
> -Rick
> 
> On Jun 7, 2013, at 9:13 AM, "Phillip" <philliph at comodo.com> wrote:
> 
>> I thought that the original point of the drop dead date was that the browsers are going to stop trusting 1024 bit certs at some point in the future.
>> 
>> Ergo there should be no need for an exception. Mozilla, IE, Google etc. just turn off support for the 1024 bit certs in their browsers. The Visa certs are issued as before but the only devices that will accept them are the Visa POS terminals. (Point of Sale)
>> 
>> So what is the problem?




More information about the Public mailing list