On 2014-07-07 13:29, Hubert Kario wrote:
----- Original Message -----
From: "David E. Ross" <nobody@nowhere.invalid>
Why should Mozilla provide cover for server administrators who fail to
update their servers and for certification authorities who fail to
communicate clearly with their customers? I believe such action will
only encourage further such failures.
Because it is Mozilla that distrusts 1024 bit RSA CA keys ahead of
CA/Browser forum schedule:
" Root CA Certificate issued prior to 31 Dec. 2010 with an RSA
key size less than 2048 bits MAY still serve as
a trust anchor for Subscriber Certificates issued in accordance
with these Requirements."
There is no date as to when 1024 bit RSA roots are to be untrusted,
unlike the intermediate certificates which all *do* have a hard date:
31st December 2014.
That's 31st December 2013.
I say that we should accommodate all the changes that are necessary to
increase the strength of the trust chain. If shipping a pre cached (not
explicitly trusted!) intermediate CA certificate requires that, so be it.
Yes, I've made the same suggestion and I think that is the best way forward.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
