[cabfpub] Proposed addition to BRs allowing issuance of <2048

[Yngve N. Pettersen]

On Tue, 11 Jun 2013 22:56:07 +0200, Rick Andrews  
<Rick_Andrews at symantec.com> wrote:

> As discussed in our face-to-face meeting in Munich, I propose the  
> following addition to the BRs. I believe there was consensus to allow  
> issuance of <2048 bit end entity certs in certain specific cases, just  
> as the BRs currently allow for issuance directly from the root for  
> certain specific cases. Please see attached pdf.

Personally, I don't like this proposal, and think it should not be  
approved.

However, if it should be approved I suggest the following improvements:

  - The allowed purposes need to be defined in a stricter fashion,  
particularly #1 (infrastructure), which IMO can be read to allow 1024 bit  
OCSP for 2048 bit issuers.

  - There should be an absolute sunset for this exception, preferably with  
a list of uses and reasoning why they deserve an exception, or there  
should be a good explanation for why not.

  - Number #3a should specify a deployment date that is well before this  
year, at least before 2008, preferably 2005. The current phrasing could  
allow somebody to claim and be granted an exception for a system first  
deployed in the past couple of years (or this year, if "Effective Date"  
refers to the current year).

My preference would also be that the customer is required to migrate every  
application that can be upgraded to a different server that have a 2048+  
bit certificate. That way the damage potential of allowing 1024-bit keys  
is limited further, since only the obsolete client applications are using  
that server, not the more capable ones.

-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/