I have posted the following in mozilla.dev.security.policy for
discussion. I am copying the posting here for your convenience. Please
post your comments/feedback into the discussion in
mozilla.dev.security.policy.
--
The following dates are based on several discussions within the Mozilla
community and on communication with CAs who have MD5 and 1024-bit root
certificates in NSS.
- High Level Summary of Dates -
June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for
intermediate and end-entity certificates.
December 31, 2010 – CAs must stop issuing from 1024-bit roots. All CAs
must also stop issuing 1024-bit certificates under any root.
December 31, 2013 – Mozilla will disable or remove all 1024-bit root
certificates.
Caveats to proposed dates:
1) Mozilla will take these actions earlier and at its sole discretion if
necessary to keep our users safe.
2) CAs may request that their legacy roots be disabled or removed from
NSS earlier, according to
https://wiki.mozilla.org/CA:Root_Change_Process.
- Background -
MD5 certificates may be compromised when attackers can create a fake
cert that hashes to the same value as one with a legitimate signature,
and is hence trusted. Mozilla can mitigate this potential vulnerability
by turning off support for MD5-based signatures. The MD5 root
certificates don’t necessarily need to be removed from NSS, because the
signatures of root certificates are not validated (roots are
self-signed). Disabling MD5 will impact intermediate and end entity
certificates, where the signatures are validated.
The relevant CAs have confirmed that they stopped issuing MD5
certificates. However, there are still many end entity certificates that
would be impacted if support for MD5-based signatures was turned off
today. Therefore, we are hoping to give the affected CAs time to react,
and are proposing the date of June 30, 2011 for turning off support for
MD5-based signatures. The relevant CAs are aware that Mozilla will turn
off MD5 support earlier if needed.
The other concern that needs to be addressed is that of RSA1024 being
too small a modulus to be robust against faster computers. Unlike a
signature algorithm, where only intermediate and end-entity certificates
are impacted, fast math means we have to disable or remove all instances
of 1024-bit moduli, including the root certificates.
The NIST recommendation is to discontinue 1024-bit RSA certificates by
December 31, 2010. Therefore, CAs have been advised that they should not
sign any more certificates under their 1024-bit roots by the end of this
year.
The date for disabling/removing 1024-bit root certificates will be
dependent on the state of the art in public key cryptography, but under
no circumstances should any party expect continued support for this
modulus size past December 31, 2013. As mentioned above, this date could
get moved up substantially if new attacks are discovered. We recommend
all parties involved in secure transactions on the web move away from
1024-bit moduli as soon as possible.
I look forward to your feedback on this. After this round of discussion,
I will send another communication to the CAs who have MD5 and 1024 root
certificates in NSS.
Kathleen
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security