[cabfpub] To revoke or not to revoke 1024

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Jun 25 00:35:35 UTC 2013


Kathleen - on your code signing cert comments - Trend Micro isn't issuing them now, and has now outstanding 1024 bit certs -- but I think Rick made the point in the past that a lot of good code has been signed with 1024 bit code signing certs in prior years, and I think everyone has to keep those signing certs valid past 2013 in order to allow ongoing revocation checking in 2014 and beyond - if the old code signing certs are revoked, won't that render the underlying code signed by the certs invalid (even though there is nothing wrong with the code)?

Wouldn't it make more sense to say that 1024 bit code signing certs may not be USED to sign NEW code after 12/31/2013, but will not be revoked (i.e., will be allowed to expire according to their expiration date) in order that revocation checking may continue after 2013?  I'm not sure how you make sure the holder of a code signing cert does not use to sign new code after 2013 - maybe the browsers check signed code for the issue date for code signing certs used to sign code after 2013, and throw up a warning if the cert was used to sign new code after 2013?

We still favor allowing 1024 bit certs issued before the BR effective date for non-web page legacy devices to be allowed to expire UNLESS an actual security threat is shown (in which case all CAs with outstanding certs of this type proceed to speedy revocation) - obviously, CAs would need to notify their customers this year (as early as possible) of the possibility of sudden revocation in 2014, and urge transition to 2048 bit certs as quickly as possible.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Kathleen Wilson
Sent: Monday, June 24, 2013 3:32 PM
To: public at cabforum.org
Subject: Re: [cabfpub] To revoke or not to revoke 1024

Rick,


Please comment, especially browser vendors.

Mozilla's wiki page about this (https://wiki.mozilla.org/CA:MD5and1024) was created in April 2010, and email about it was also sent to CAs (https://wiki.mozilla.org/CA:Communications#October_11.2C_2010)

The wiki page allows for use of 1024-bit certs when needed for interoperability reasons:
"- This means that CAs should only consider issuing a 1024-bit certificate if it is requested and justified by the subscriber for a specific reason, such as interoperability with devices that do not yet support certificates with larger key sizes.
- The CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will accept any risks and liabilities."

The wiki page also makes it clear that CAs should not expect continued support of 1024-bit certs in Mozilla products:
"Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013."



Do CAs need to revoke 1024-bit end-entity certs by the end of 2013?

I think that depends on the type of cert and when it expires.

I am fine with S/MIME certs being transitioned whenever they expire, even if it is a couple of years out. Though, I won't guarantee support of those certs in Mozilla products.

I would like to see the transition from 1024-bit SSL and code signing certs happen soon. However, it really doesn't matter to me what the exact date is, as long as the transition is completed before it becomes an emergency.

Also on the wiki page: "December 31, 2013 - Mozilla will disable the SSL and Code Signing trust bits for root certificates with RSA key sizes smaller than 2048 bits. If those root certificates are no longer needed for S/MIME, then Mozilla will remove them from NSS."

In hindsight, I should have said "after December 31...". My goal is Q1 2014, and I am working on this in Mozilla Bugzilla #881553.


Since the BRs effectively cover only certs issued after "the effective date", does that mean that certs issued before "the effective date" don't need to be revoked?

That was my interpretation of the BRs, but Mozilla's communication about phasing out 1024-bit certs started in 2010. In 2010 I also exchanged direct email with representatives of the CAs that had 1024-bit root certs included in Mozilla products at that time, so all impacted CAs were well aware of Mozilla's requirements.


What about code signing certs?

What I said above applies to both SSL and code signing certs.


Kathleen



On 6/23/13 12:32 PM, Rick Andrews wrote:
We discussed this a bit in our face-to-face meeting in Munich, but did not reach consensus. I'd like to continue the conversation with all via the list.

Putting aside the question of "web pki" vs. "non-web pki", Symantec and other CAs would like to see if we can achieve consensus on these questions:


  1.  Do CAs need to revoke 1024-bit end-entity certs by the end of 2013?
a.        I believe that some CAs believed that revoking such certs was mandatory. However, I see no hard evidence of that.
b.       The BRs say that 1024-bit can be issued as long as the end date is before December 31, 2013. Others have said that a CA that was compliant with the BRs would not have issued a 1024-bit end entity cert after the effective date if its end date was 2014 or later. However, we've seen that not all CAs became compliant on July 1, 2012. Given what we now know about audits and effective dates, it seems to me that there is a lot of uncertainty here.
c.        Apart from the BRs, CAs have to consider browser policy which may go above and beyond the BRs. In a private conversation with Tom Albertson of Microsoft, he told me that "Our policy doesn't contemplate CAs revoking EE certs issued before 1 Jan 2014, unless or until an RSA factoring attack is imminent, and we all go into response mode." Mozilla's policy seems to be similar - it says that such certs must expire by January 1, 2014, but it does not mandate that CAs revoke any such certs that would live beyond that date.
d.       If there is no clear direction here, I propose that CAs simply let all 1024-bit end entity certs expire naturally, as long as the CA has stopped issuing 1024-bit end entity certs, and made an honest effort to comply with the BRs (hard to define, but at the very least would mean that the CA wasn't still issuing multi-year 1024-bit certs in 2013).

  1.  Since the BRs effectively cover only certs issued after "the effective date", does that mean that certs issued before "the effective date" don't need to be revoked?
e.       That is my interpretation. Given what I said in 1) above, even those certs issued after the effective date don't need to be revoked, unless some browser's policy mandates that action.

  1.  What about code signing certs?
f.         The BRs don't cover non-EV code signing certs, so again this goes back to browser policy. And unless some browser comes forth with unambiguous policy on code signing certs, I would suggest they are also off the table (do not need to be revoked).

Please comment, especially browser vendors. Thanks,

-Rick







_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130625/d8118c9c/attachment-0003.html>


More information about the Public mailing list