[cabfpub] Need exception to 1024-bit revocation requirement
Robert Relyea
rrelyea at redhat.com
Sat Jun 8 00:24:36 UTC 2013
On 06/07/2013 09:06 AM, Gervase Markham wrote:
> On 07/06/13 16:54, Rick Andrews wrote:
>> I agree with you that the greater risk is to users of these devices,
>> not so much to users of web PKI.
> You say "not so much"; can you think of _any_ risk to users of the web
> PKI? I'm not sure I can...
So these certs are SSL capable certificates, which chain to a browser
trusted PKI. If someone captured one of the certs, and then compromised
the 1024 bit key, they could masquerade as any hostname these certs
advertise.
That risk would be mitigated if there were no hostname in the CN or in
the Subject Alt Name. It's probably likely the case that there isn't. Do
you know Rick?
>
>> Please try to see this from the customer's perspective. As far as
>> they are concerned, Visa is the controlling entity for the use of
>> these devices. Then the CABF comes along and tells them they have to
>> phase them out sooner because of risk to browser users.
> If my understanding is correct, then I would be of the view that we,
> Mozilla, should accept a BR audit from Symantec which has an exception
> for this particular situation. (But it's Kathleen who decides.)
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130607/58e24e30/attachment-0001.p7s>
More information about the Public
mailing list