[cabfpub] Proposed addition to BRs allowing issuance of <2048

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jun 14 15:16:05 UTC 2013

On 06/14/2013 05:46 PM, From Gervase Markham:
> What do you mean by "can be accessed with a browser"? There's been 
> nothing said which suggests that these devices talk HTTP to their 
> servers.

Perhaps read the communication preceding your replies where Rick 
explicitly confirmed that they are used on HTTP servers using HTTP over 

> Er no, a key which gets cracked due to small size can't be used for 
> anything other than impersonating the sites whose names are embedded 
> in it.

Sure, but if that's your argument, why should we care AT ALL which keys 
sizes end-user certificates use then? I mean if Google wants to use 1024 
bit keys let'em, it's only their sites that get compromised. For that 
matter any other site...

If you confirm, I propose that we don't impose any requirement as to the 
key size of end-user certificates, anything will go...

> There's no point talking about "512-bit keys" as a whole, because 
> there's a massive difference between a 512-bit intermediate, which if 
> cracked can issue for any site on the Net, and a 512-bit leaf cert, 
> which if cracked allows someone to imitate only the site for which it 
> was issued. 

To all of my knowledge the 512 bit key certificates compromised recently 
were end-user certificates and IIRC Mozilla disabled the CA certificate 
that issued them. No CA certificates were compromised at that time. Can 
you explain the logic to disable that Malaysian CA then?

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/79133f5e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/79133f5e/attachment-0001.p7s>

More information about the Public mailing list