[cabfpub] Proposed addition to BRs allowing issuance of <2048

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jun 14 14:36:13 UTC 2013


On 06/14/2013 12:43 PM, From Gervase Markham:
> These are embedded devices accessing specific servers which are designed
> to communicate with them. If this was happening over a private network,
> it would clearly be not "Web PKI". Are you saying that any SSL
> connection which traverses the public Internet is "Web PKI"?

If those sites/servers using such certificates are accessed through the 
HTTPS protocol they are within the scope of the BR/EV since it can be 
accessed with a browser. A compromised key due to its small size can be 
very well used for other purpose than the specific device it's used at 
that time.

> Why is this situation different from the "issue from the root" 
> situation, where we have a limited exception for legacy compatibility?

Who said that I'm happy with this exception? I'm absolutely not, but 
root certificates are much tighter controlled through the browser and 
software vendors whereas end user certificates are issued according to 
the judgement of the CAs. There is no instance that weighs in the risk 
involved.

Otherwise why should we or anybody else care if various CAs issued 512 
bit keys until recently if not the entire PKI eco system would be at 
risk? We (and others) decided that 1024 shouldn't be used anymore as of 
a certain date in order to prevent a practical compromise as it happened 
with 512 keys or MD5 hashes.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/130c19e8/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/130c19e8/attachment-0001.p7s>


More information about the Public mailing list