Kyle Hamilton:
There has been evidence of Microsoft, at the least, following this
group and acting on good ideas that started here. While it'd be nice
if that organization would comment here, I think that if they like
this plan (or anything like this plan) they'll implement it and it'll
end up being a fait accompli.
January 1 2009 particularly because it provides slightly less than 2
quarters of notice. Honestly, I would be quite happy if it went into
effect immediately; however, I do know that some Cisco VPN equipment
doesn't like 4096-bit root keys. I don't know if it likes 2048-bit
keys.
I would treat 'new' as 'new request'.
And I don't know if anyone's tried to submit a 1024-bit root recently.
I'm not aware of it, nor if any such root is requested to be included.
I'd suggest to bring that date forward, meaning it could be 1st of
January 2007 or 2008. We don't have to wait for 2009 really.
As a matter of fact, Microsoft has already such a requirement and didn't
wait for Mozilla to offer this great idea ;-)
From
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
section general requirements #4:
"we require a minimum crypto key size of RSA 2048-bit modulus for any
root and all issuing CAs. Microsoft will no longer accept root
certificates with RSA 1024-bit modulus of any expiration."
Funnily they contradict themselves at the sentence right after that:
"We prefer .... expire before the year 2030, especially if they have a
2048-bit RSA modulus."
Maybe they meant to say that roots should expire before 2030 if the key
is 2048 bit and not bigger than that.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
