[cabfpub] Proposed addition to BRs allowing issuance of <2048

Gervase Markham gerv at mozilla.org
Fri Jun 14 14:46:45 UTC 2013

On 14/06/13 15:36, Eddy Nigg (StartCom Ltd.) wrote:
> If those sites/servers using such certificates are accessed through the
> HTTPS protocol they are within the scope of the BR/EV since it can be
> accessed with a browser.

What do you mean by "can be accessed with a browser"? There's been
nothing said which suggests that these devices talk HTTP to their
servers. And even if they did, a browser wouldn't speak the protocol
they use on top of HTTP.

These servers are not intended for use with a browser. They don't host
consumer-facing websites on the same DNS names (I'm 99.999% sure).

> A compromised key due to its small size can be
> very well used for other purpose than the specific device it's used at
> that time.

Er no, a key which gets cracked due to small size can't be used for
anything other than impersonating the sites whose names are embedded in
it. Unless I've missed something?

> Otherwise why should we or anybody else care if various CAs issued 512
> bit keys until recently if not the entire PKI eco system would be at
> risk? 

There's no point talking about "512-bit keys" as a whole, because
there's a massive difference between a 512-bit intermediate, which if
cracked can issue for any site on the Net, and a 512-bit leaf cert,
which if cracked allows someone to imitate only the site for which it
was issued.


More information about the Public mailing list