[cabfpub] Proposed addition to BRs allowing issuance of <2048

[Rick Andrews]

On Jun 13, 2013, at 11:01 PM, "Ryan Sleevi" <sleevi at google.com> wrote:
> 
> Wouldn't it be better for the industry to push for an exception to
> those policies, which carry no security risk to users, then, rather
> than encouraging a practice that the industry recognizes has security
> problems?

Ryan, what industry are you referring to? The CA industry, payment (PCI) industry, the telecom industry? I believe they've all begun strengthening their security policies, albeit on different timetables. 

I think there may be a way out of this mess. It's very likely that these older devices rely on our older 1024-bit roots (I'm on vacation for the next two weeks so it will take me time to confirm that). Trust Stores are already asking CAs if they can remove them from their lists. Its similar to your idea, but instead of creating brand new roots now for web PKI customers, we CAs can try to relegate our old 1024-bit roots to these non-browser users, and try to prevent any non-browser users from relying on our public roots in the future. 

-Rick