[cabfpub] Proposed addition to BRs allowing issuance of <2048

Gervase Markham gerv at mozilla.org
Fri Jun 14 15:39:19 UTC 2013

On 14/06/13 16:16, Eddy Nigg (StartCom Ltd.) wrote:
> Perhaps read the communication preceding your replies where Rick
> explicitly confirmed that they are used on HTTP servers using HTTP over

But browsers don't talk the protocol they use on top.

>> Er no, a key which gets cracked due to small size can't be used for
>> anything other than impersonating the sites whose names are embedded
>> in it.
> Sure, but if that's your argument, why should we care AT ALL which keys
> sizes end-user certificates use then? I mean if Google wants to use 1024
> bit keys let'em, it's only their sites that get compromised. For that
> matter any other site...

Except that we are aiming to protect the browser users who visit Google.
Google is a website designed to be visited by browsers.

In this case, there are no browser users who visit the servers
concerned. It is, I submit, Visa's and the issuing bank's responsibility
to assess the risk of using 1024-bit certificates on those connections,
and ban them when they think they need banning.

>> There's no point talking about "512-bit keys" as a whole, because
>> there's a massive difference between a 512-bit intermediate, which if
>> cracked can issue for any site on the Net, and a 512-bit leaf cert,
>> which if cracked allows someone to imitate only the site for which it
>> was issued. 
> To all of my knowledge the 512 bit key certificates compromised recently
> were end-user certificates and IIRC Mozilla disabled the CA certificate
> that issued them. No CA certificates were compromised at that time. Can
> you explain the logic to disable that Malaysian CA then?


"Nevertheless, given our concerns about the technical practices of this
certificate authority, we intend to revoke trust in the DigiCert Sdn.
Bhd. intermediate certificate authority."

This was clearly a CA which didn't know what it was doing.


More information about the Public mailing list