[cabfpub] Proposed addition to BRs allowing issuance of <2048

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jun 14 16:26:29 UTC 2013 

On 06/14/2013 06:39 PM, From Gervase Markham:
> On 14/06/13 16:16, Eddy Nigg (StartCom Ltd.) wrote:
>> Perhaps read the communication preceding your replies where Rick
>> explicitly confirmed that they are used on HTTP servers using HTTP over
>> SSL/TLS.
> But browsers don't talk the protocol they use on top.

I don't know, but does it matter really? If somebody can access it, 
he/she can also learn whatever protocol that is.

> In this case, there are no browser users who visit the servers
> concerned. It is, I submit, Visa's and the issuing bank's responsibility
> to assess the risk of using 1024-bit certificates on those connections,
> and ban them when they think they need banning.

Isn't it Google's responsibility then to assess the risk if it wants to 
use 1K keys? So where exactly do you want to draw the line?

If it's Google you don't agree but if it's Visa you agree? And if it's a 
user using some outdated router do you agree too? Maybe only for Alexa 
top 100 host names? Else?

> This was clearly a CA which didn't know what it was doing.

Probably - but their offense was first of all that they issued 512 bit 
keys (which might not be such a bad thing after all following your 
logic). Then they were non-revokable. You can find such non-revokable 
certificates [*] also from other CAs apparently. And then one might ask 
if we need any rules at all...

[*] 
http://news.netcraft.com/archives/2013/05/23/would-you-knowingly-trust-an-irrevocable-ssl-certificate.html


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/2a6f619a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130614/2a6f619a/attachment-0001.p7s>

More information about the Public mailing list