At 7:09 PM -0700 5/29/08, Justin Dolske wrote: >So? While it might not improve security *immediately*,
It will not improve security for the foreseeable future (assuming that we take the expiration dates on some of the root certs at face value). > I don't see why a >gradual transition to stricter requirements is a problem. It is not a problem: it is also not a solution until the last of the smaller-keyed CAs are removed. >Are you >suggesting we're stuck with small keys forever, or that all CAs must >switch simultaneously? If not the latter, the former for a reasonable value of "forever". Let's talk specifics. The Verisign "Class 3 Public Primary Certification Authority", which is widely used to create popular SSL certs on the Internet (see <https://www.amazon.com/>), has a 1024-bit RSA key and has an expiration date of Aug 1 23:59:59 2028. Yes, that's a bit over 20 years from now. Unless Mozilla says "we are going to yank that particular Verisign certificate, and all the ones with similar key lengths, decades before they expire", there is absolutely no reason for us to, 20 years in advance, start requiring "new" CAs to use stronger keys. It is just not justified. If we want to ramp up the mandatory key sizes, we need to also simultaneously promise to pull out all CAs that don't meet those sizes at a reasonable time. Otherwise, we are just pretending to be helping. Proposal: a) Starting January 1 2009, all new CA roots must be 2048 bit RSA or 256 bit EC. b) Starting January 1 2014, all CA roots must be 2048 bit RSA or 256 bit EC. Dates and sizes can be argued, of course. I would argue against the date in (b) being more than five years after the date in (a). If we adopt such a proposal, but later start to waver on (b), we immediately admit that (a) is silly from a security perspective. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
