Dates for Phasing out MD5-based signatures and 1024-bit moduli
Kathleen Wilson
community and on communication with CAs who have MD5 and 1024-bit root
certificates in NSS.
- High Level Summary of Dates -
June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for
intermediate and end-entity certificates.
December 31, 2010 – CAs must stop issuing from 1024-bit roots. All CAs
must also stop issuing 1024-bit certificates under any root.
December 31, 2013 – Mozilla will disable or remove all 1024-bit root
certificates.
Caveats to proposed dates:
1) Mozilla will take these actions earlier and at its sole discretion if
necessary to keep our users safe.
2) CAs may request that their legacy roots be disabled or removed from
NSS earlier, according to
https://wiki.mozilla.org/CA:Root_Change_Process.
- Background -
MD5 certificates may be compromised when attackers can create a fake
cert that hashes to the same value as one with a legitimate signature,
and is hence trusted. Mozilla can mitigate this potential vulnerability
by turning off support for MD5-based signatures. The MD5 root
certificates don’t necessarily need to be removed from NSS, because the
signatures of root certificates are not validated (roots are
self-signed). Disabling MD5 will impact intermediate and end entity
certificates, where the signatures are validated.
The relevant CAs have confirmed that they stopped issuing MD5
certificates. However, there are still many end entity certificates that
would be impacted if support for MD5-based signatures was turned off
today. Therefore, we are hoping to give the affected CAs time to react,
and are proposing the date of June 30, 2011 for turning off support for
MD5-based signatures. The relevant CAs are aware that Mozilla will turn
off MD5 support earlier if needed.
The other concern that needs to be addressed is that of RSA1024 being
too small a modulus to be robust against faster computers. Unlike a
signature algorithm, where only intermediate and end-entity certificates
are impacted, fast math means we have to disable or remove all instances
of 1024-bit moduli, including the root certificates.
The NIST recommendation is to discontinue 1024-bit RSA certificates by
December 31, 2010. Therefore, CAs have been advised that they should not
sign any more certificates under their 1024-bit roots by the end of this
year.
The date for disabling/removing 1024-bit root certificates will be
dependent on the state of the art in public key cryptography, but under
no circumstances should any party expect continued support for this
modulus size past December 31, 2013. As mentioned above, this date could
get moved up substantially if new attacks are discovered. We recommend
all parties involved in secure transactions on the web move away from
1024-bit moduli as soon as possible.
I look forward to your feedback on this. After this round of discussion,
I will send another communication to the CAs who have MD5 and 1024 root
certificates in NSS.
Kathleen
Eddy Nigg
> The following dates are based on several discussions within the
> Mozilla community and on communication with CAs who have MD5 and
> 1024-bit root certificates in NSS.
>
> - High Level Summary of Dates -
>
> June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm
> for intermediate and end-entity certificates.
This could be earlier, perhaps December 31, 2010. I believe that for
quite some time there are no CAs issuing MD5 hashed end-user
certificates anymore and intermediate CA certificates could be re-issued
with new hashes until then.
I think this is my only comment, the rest looks as expected.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Rob Stradling
under any root."
Kathleen, what will be the new minimum RSA key size that Mozilla will require
to be used in end-entity certificates and intermediate CA certificates
post-2010?
2048-bit?
1536-bit?
1025-bit?
1023-bit?
512-bit?
etc...
I'm guessing that your answer will be "2048-bit", but I'd like to see you
state that explicitly in order to avoid any chance of alternative
interpretations by any CAs or their customers who might want to continue to
use smaller moduli for performance reasons.
All you've actually stated so far (AFAICT) is that moduli of precisely 1024-
bits will be disallowed.
Thanks.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Rob Stradling
Senior Research & Development Scientist
C·O·M·O·D·O - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.
Kathleen Wilson
> "December 31, 2010...All CAs must also stop issuing 1024-bit certificates
> under any root."
>
> Kathleen, what will be the new minimum RSA key size that Mozilla will require
> to be used in end-entity certificates and intermediate CA certificates
> post-2010?
>
> 2048-bit?
> 1536-bit?
> 1025-bit?
> 1023-bit?
> 512-bit?
> etc...
>
> I'm guessing that your answer will be "2048-bit", but I'd like to see you
> state that explicitly in order to avoid any chance of alternative
> interpretations by any CAs or their customers who might want to continue to
> use smaller moduli for performance reasons.
>
> All you've actually stated so far (AFAICT) is that moduli of precisely 1024-
> bits will be disallowed.
Of course, you're right. The statement needs to be more clear. I'm not
sure of the best way to phrase it. How about:
December 31, 2010 – CAs must stop issuing from 1024-bit roots. All CAs
must also stop issuing certificates with RSA key size lower than 2048
under any root.
Kathleen
Eddy Nigg
Of course, you're right. The statement needs to be more clear. I'm not sure of the best way to phrase it. How about:
December 31, 2010 – CAs must stop issuing from 1024-bit roots. All CAs must also stop issuing certificates with RSA key size lower than 2048 under any root.
Rob Stradling
<snip>
> > All you've actually stated so far (AFAICT) is that moduli of precisely
> > 1024- bits will be disallowed.
>
> Of course, you're right. The statement needs to be more clear. I'm not
> sure of the best way to phrase it. How about:
>
> December 31, 2010 – CAs must stop issuing from 1024-bit roots. All CAs
> must also stop issuing certificates with RSA key size lower than 2048
> under any root.
Thanks Kathleen. That clarifies the specific issue I raised, but I've just
thought of some more...
"December 31, 2010 – CAs must stop issuing from 1024-bit roots."
Should that be "must", or should it be "MUST" ? Or, as you wrote elsewhere in
your post, should it be "should" (you wrote: "CAs have been advised that they
should not...").
Does "issuing from" only include issuing directly from? Or does it also
include issuing from existing subordinate CAs that chain to 1024-bit roots?
And what about issuing from existing >=2048-bit roots that have been cross-
certified by a <2048-bit root for legacy ubiquity reasons?
I'd suggest changing "from 1024-bit roots" to "from roots with RSA key sizes
<2048-bits".
"December 31, 2013 – Mozilla will disable or remove all 1024-bit root
certificates"
Again, I'd suggest changing "all 1024-bit root certificates" to "all root
certificates with RSA key sizes <2048-bit".
Steve Roylance
Please note that we have a handful of high volume customers who are
presently unable to create 2048 bit RSA keys and have to work with lower key
sizes. Not down to 1024, but 1536-bit RSA seems the most favourable (It's
particularly pertinent to smart cards and you'll find that anyone on the
list familiar with the Microsoft Root program will recognise this
exception.)
Thanks
Steve
-----Original Message-----
From:
dev-security-policy-bounces+steve.roylance=globals...@lists.mozilla.org
[mailto:dev-security-policy-bounces+steve.roylance=globals...@lists.mozi
lla.org] On Behalf Of Rob Stradling
Sent: 22 April 2010 21:43
To: dev-secur...@lists.mozilla.org
Cc: Kathleen Wilson
Subject: Re: Dates for Phasing out MD5-based signatures and 1024-bit moduli
On Thursday 22 April 2010 20:57:07 Kathleen Wilson wrote:
<snip>
> > All you've actually stated so far (AFAICT) is that moduli of precisely
> > 1024- bits will be disallowed.
>
> Of course, you're right. The statement needs to be more clear. I'm not
> sure of the best way to phrase it. How about:
>
> December 31, 2010 - CAs must stop issuing from 1024-bit roots. All CAs
> must also stop issuing certificates with RSA key size lower than 2048
> under any root.
Thanks Kathleen. That clarifies the specific issue I raised, but I've just
thought of some more...
"December 31, 2010 - CAs must stop issuing from 1024-bit roots."
Should that be "must", or should it be "MUST" ? Or, as you wrote elsewhere
in
your post, should it be "should" (you wrote: "CAs have been advised that
they
should not...").
Does "issuing from" only include issuing directly from? Or does it also
include issuing from existing subordinate CAs that chain to 1024-bit roots?
And what about issuing from existing >=2048-bit roots that have been cross-
certified by a <2048-bit root for legacy ubiquity reasons?
I'd suggest changing "from 1024-bit roots" to "from roots with RSA key sizes
<2048-bits".
"December 31, 2013 - Mozilla will disable or remove all 1024-bit root
certificates"
Again, I'd suggest changing "all 1024-bit root certificates" to "all root
certificates with RSA key sizes <2048-bit".
> Kathleen
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Rob Stradling
Senior Research & Development Scientist
C.O.M.O.D.O - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by
replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no
liability
can be accepted and the recipient is requested to use their own virus
checking
software.
Kathleen Wilson
feedback, and I've stated the questions that I don't yet have answers for.
https://wiki.mozilla.org/CA:MD5and1024
I'll greatly appreciate further input and your thoughts on answers to
the questions.
Thanks,
Kathleen
Eddy Nigg
On 04/22/2010 11:53 PM, Steve Roylance:
> Please note that we have a handful of high volume customers who are
> presently unable to create 2048 bit RSA keys and have to work with lower key
> sizes. Not down to 1024, but 1536-bit RSA seems the most favourable (It's
> particularly pertinent to smart cards)
>
Out of personal interest, which smart cards (brand, type) support 1536
bit RSA keys but not 2048 bit? I've not come across such a species yet,
but I find smart cards an interesting subject in itself...so I'm asking...
Rob Stradling
> Hi Kathleen,
>
> Please note that we have a handful of high volume customers who are
> presently unable to create 2048 bit RSA keys and have to work with lower
> key sizes. Not down to 1024, but 1536-bit RSA seems the most favourable
> the list familiar with the Microsoft Root program will recognise this
> exception.)
Hi Steve. I thought someone might mention this issue. I don't see any
mention of 1536-bit key sizes in the current public Microsoft Root Certificate
Program requirements...
http://technet.microsoft.com/en-us/library/cc751157.aspx
...but I know it has been discussed in various forums.
I think Microsoft's intention is to enforce a minimum RSA key size of 2048-
bits wherever possible, but in those cases where 2048-bit keys are unsupported
(i.e. certain smartcards), 1536-bit keys will be allowed.
> your post, should it be "should" (you wrote: "CAs have been advised that
> they
> should not...").
>
> Does "issuing from" only include issuing directly from? Or does it also
> include issuing from existing subordinate CAs that chain to 1024-bit roots?
>
> And what about issuing from existing >=2048-bit roots that have been cross-
> certified by a <2048-bit root for legacy ubiquity reasons?
>
> I'd suggest changing "from 1024-bit roots" to "from roots with RSA key
> sizes
>
> <2048-bits".
>
>
> "December 31, 2013 - Mozilla will disable or remove all 1024-bit root
C·O·M·O·D·O - Creating Trust Online
Rolf Lindemann
The current rule would allow issuing a certificate with 1024 bit RSA key and
3 years validity in November 2010 (expiring in 2013).
But it wouldn't allow issuing a certificate with 1024 bit RSA key in 2011
with 1 year validity (expiring in 2012).
Wouldn't it be better to require that certificates with 1024 bit RSA keys
must expire before end of 2013?
Kind regards,
Rolf
-----Ursprüngliche Nachricht-----
Von: dev-security-policy-bounces+lindemann=trustce...@lists.mozilla.org
[mailto:dev-security-policy-bounces+lindemann=trustce...@lists.mozilla.o
rg] Im Auftrag von Kathleen Wilson
Gesendet: Freitag, 23. April 2010 01:15
An: dev-secur...@lists.mozilla.org
Betreff: Re: Dates for Phasing out MD5-based signatures and 1024-bit moduli
https://wiki.mozilla.org/CA:MD5and1024
Thanks,
Kathleen
Gervase Markham
> June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for
> intermediate and end-entity certificates.
By this, do you mean "Software published by Mozilla will stop
accepting... and will instead give an error."? If so, it might be best
to spell it out.
Re: the 1536 question: is it possible to quantify the relative
difficulty of attacking 1024, 1536 and 2048-bit signatures? Is it
exponential in bit count (2^n) or something else?
If it is, then surely 1536 should be fine?
Gerv
Eddy Nigg
> I think Microsoft's intention is to enforce a minimum RSA key size of 2048-
> bits wherever possible, but in those cases where 2048-bit keys are unsupported
> (i.e. certain smartcards), 1536-bit keys will be allowed.
>
I have yet to see a smart card which does 1536 bit and not 2048. Any
examples?
Kathleen Wilson
> On 20/04/10 21:32, Kathleen Wilson wrote:
>> June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for
>> intermediate and end-entity certificates.
>
> By this, do you mean "Software published by Mozilla will stop
> accepting... and will instead give an error."? If so, it might be best
> to spell it out.
>
How about:
June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for
intermediate and end-entity certificates. After this date software
published by Mozilla will return an error when a certificate with an
MD5-based signature is used.
Nelson B
> On Thursday 22 April 2010 21:53:06 Steve Roylance wrote:
>> Hi Kathleen,
>>
>> Please note that we have a handful of high volume customers who are
>> presently unable to create 2048 bit RSA keys and have to work with lower
>> key sizes. Not down to 1024, but 1536-bit RSA seems the most favourable
>> (It's particularly pertinent to smart cards and you'll find that anyone on
>> the list familiar with the Microsoft Root program will recognise this
>> exception.)
>
> Hi Steve. I thought someone might mention this issue. I don't see any
> mention of 1536-bit key sizes in the current public Microsoft Root Certificate
> Program requirements...
> http://technet.microsoft.com/en-us/library/cc751157.aspx
> ...but I know it has been discussed in various forums.
>
> I think Microsoft's intention is to enforce a minimum RSA key size of 2048-
> bits wherever possible, but in those cases where 2048-bit keys are unsupported
> (i.e. certain smartcards), 1536-bit keys will be allowed.
[snip]
I thought the device type that was cited as being unable to handle
2k-bit RSA keys and have millions in circulation was cell phones, not
"smart cards". Those cell phones are expected to be replaced in two more
years.
Steve Roylance
I've asked the team in Japan to provide specific data on this. We'll post
out next week.
Steve
-----Original Message-----
From:
dev-security-policy-bounces+steve.roylance=globals...@lists.mozilla.org
[mailto:dev-security-policy-bounces+steve.roylance=globals...@lists.mozi
lla.org] On Behalf Of Nelson B
Sent: 23 April 2010 20:13
To: dev-secur...@lists.mozilla.org
Subject: Re: Dates for Phasing out MD5-based signatures and 1024-bit moduli
[snip]
Steve Roylance
I've received confirmation from my tech team in Japan that key sizes >=2048
are indeed OK. (This also possibly explains why the 1536 bit language was
never included in the public facing Microsoft Root Program as initially
proposed)
Better to be safe than sorry!
GlobalSign therefore has no issues with RSA keys >=2048.
Thanks.
Steve
-----Original Message-----
From: Steve Roylance [mailto:steve.r...@globalsign.com]
Sent: 22 April 2010 21:53
To: 'dev-secur...@lists.mozilla.org'
Cc: 'Kathleen Wilson'
Subject: RE: Dates for Phasing out MD5-based signatures and 1024-bit moduli
Hi Kathleen,
Please note that we have a handful of high volume customers who are
presently unable to create 2048 bit RSA keys and have to work with lower key
sizes. Not down to 1024, but 1536-bit RSA seems the most favourable (It's
particularly pertinent to smart cards and you'll find that anyone on the
list familiar with the Microsoft Root program will recognise this
exception.)
Thanks
Steve
-----Original Message-----
From:
dev-security-policy-bounces+steve.roylance=globals...@lists.mozilla.org
[mailto:dev-security-policy-bounces+steve.roylance=globals...@lists.mozi
lla.org] On Behalf Of Rob Stradling
Sent: 22 April 2010 21:43
To: dev-secur...@lists.mozilla.org
Cc: Kathleen Wilson
Subject: Re: Dates for Phasing out MD5-based signatures and 1024-bit moduli
On Thursday 22 April 2010 20:57:07 Kathleen Wilson wrote:
<snip>
> > All you've actually stated so far (AFAICT) is that moduli of precisely
> > 1024- bits will be disallowed.
>
> Of course, you're right. The statement needs to be more clear. I'm not
> sure of the best way to phrase it. How about:
>
> December 31, 2010 - CAs must stop issuing from 1024-bit roots. All CAs
> must also stop issuing certificates with RSA key size lower than 2048
> under any root.
Thanks Kathleen. That clarifies the specific issue I raised, but I've just
thought of some more...
"December 31, 2010 - CAs must stop issuing from 1024-bit roots."
Should that be "must", or should it be "MUST" ? Or, as you wrote elsewhere
in
your post, should it be "should" (you wrote: "CAs have been advised that
they
should not...").
Does "issuing from" only include issuing directly from? Or does it also
include issuing from existing subordinate CAs that chain to 1024-bit roots?
And what about issuing from existing >=2048-bit roots that have been cross-
certified by a <2048-bit root for legacy ubiquity reasons?
I'd suggest changing "from 1024-bit roots" to "from roots with RSA key sizes
<2048-bits".
"December 31, 2013 - Mozilla will disable or remove all 1024-bit root
certificates"
Again, I'd suggest changing "all 1024-bit root certificates" to "all root
certificates with RSA key sizes <2048-bit".
> Kathleen
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Rob Stradling
Senior Research & Development Scientist
C.O.M.O.D.O - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by
replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no
liability
can be accepted and the recipient is requested to use their own virus
checking
software.
Medin, Steven
unanswered and I share his interest in this question.
I thought we had one date, 12/31/2013.
Kind regards,
Steven Medin
Product Manager, Identity and Access Management
Verizon Cybertrust Security
-----Original Message-----
From:
dev-security-policy-bounces+steve.medin=verizonbu...@lists.mozilla.or
g
[mailto:dev-security-policy-bounces+steve.medin=verizonbu...@lists.mo
zilla.org] On Behalf Of Rolf Lindemann
Sent: Friday, April 23, 2010 2:47 AM
To: Kathleen Wilson; dev-secur...@lists.mozilla.org
Subject: AW: Dates for Phasing out MD5-based signatures and 1024-bit moduli
Hi,
The current rule would allow issuing a certificate with 1024 bit RSA key and
3 years validity in November 2010 (expiring in 2013).
But it wouldn't allow issuing a certificate with 1024 bit RSA key in 2011
with 1 year validity (expiring in 2012).
Wouldn't it be better to require that certificates with 1024 bit RSA keys
must expire before end of 2013?
Kind regards,
Rolf
-----Ursprüngliche Nachricht-----
Von: dev-security-policy-bounces+lindemann=trustce...@lists.mozilla.org
[mailto:dev-security-policy-bounces+lindemann=trustce...@lists.mozilla.o
rg] Im Auftrag von Kathleen Wilson
Gesendet: Freitag, 23. April 2010 01:15
An: dev-secur...@lists.mozilla.org
Betreff: Re: Dates for Phasing out MD5-based signatures and 1024-bit moduli
https://wiki.mozilla.org/CA:MD5and1024
Thanks,
Kathleen
Kathleen Wilson
> On 4/20/10 1:32 PM, Kathleen Wilson wrote:
>> The following dates are based on several discussions within the Mozilla
>> community and on communication with CAs who have MD5 and 1024-bit root
>> certificates in NSS.
>>
>
> following communication to all of the CAs with root certificates in NSS.
>
> --
You may have noticed that I have not sent this communication to the CAs.
I postponed the communication in order to consider some additional input
and the following NIST proposal.
NIST is considering a proposal to update their guidelines for the
transitioning of cryptographic algorithms and key sizes, as per
http://storageconference.org/2010/Presentations/KMS/5.Barker.pdf
The NIST proposal specifically says:
* 80 bits of strength acceptable through 2010 (DSA and RSA:1024-bit
keys; ECDSA:160 to 223-bit keys)
* 80 bits of strength allowed from 2011 through 2013 (new)
Where “acceptable” means safe to use (as far as we know), and “allowed”
means users must accept some risk.
We are not interpreting this NIST proposal as a free-for-all extension
to continue issuance of 1024-bit certificates after this year. Rather,
we are interpreting the NIST proposal to mean that we may proceed with
caution in continuing to issue 1024-bit certificates in situations where
larger key sizes are still not properly supported. Additionally, we
should mitigate risk as much as possible. Finally, all 1024-bit
certificates must expire by the end of 2013.
We are considering updating our dates for phasing out 1024-bit
certificates to the following.
December 31, 2010 – Mozilla strongly recommends that all CAs stop
issuing end-entity certificates with RSA key size smaller than 2048 bits
under any root. If a CA has particular need to continue issuing
certificates with RSA key size smaller than 2048 bits beyond this date,
then they must ensure that all of those certificates will expire by the
end of 2013. CAs who continue to issue certificates with RSA key size
smaller than 2048 bits are strongly advised to use randomness in the
serial number or in one of the fields in the DN.
December 31, 2013 – Mozilla will disable or remove all root certificates
with RSA key sizes smaller than 2048 bits.
Caveats to proposed dates:
* Mozilla will disable or remove root certificates with RSA key sizes
smaller than 2048 bits earlier and at its sole discretion if necessary
to keep our users safe.
* CAs may request that their legacy roots be disabled or removed from
NSS earlier, according to the Root Change Process.
I will greatly appreciate your input on these proposed changes.
Kathleen
David E. Ross
> On 4/27/10 10:35 AM, Kathleen Wilson wrote:
>> On 4/20/10 1:32 PM, Kathleen Wilson wrote:
>>> The following dates are based on several discussions within the Mozilla
>>> community and on communication with CAs who have MD5 and 1024-bit root
>>> certificates in NSS.
>>>
>>
>> All, thank you for your feedback and input on this. I will email the
>> following communication to all of the CAs with root certificates in NSS.
>>
>> --
>
> You may have noticed that I have not sent this communication to the CAs.
> I postponed the communication in order to consider some additional input
> and the following NIST proposal.
>
> NIST is considering a proposal to update their guidelines for the
> transitioning of cryptographic algorithms and key sizes, as per
> http://storageconference.org/2010/Presentations/KMS/5.Barker.pdf
>
> The NIST proposal specifically says:
> * 80 bits of strength acceptable through 2010 (DSA and RSA:1024-bit
> keys; ECDSA:160 to 223-bit keys)
> * 80 bits of strength allowed from 2011 through 2013 (new)
>
> We are not interpreting this NIST proposal as a free-for-all extension
> to continue issuance of 1024-bit certificates after this year. Rather,
> we are interpreting the NIST proposal to mean that we may proceed with
> caution in continuing to issue 1024-bit certificates in situations where
> larger key sizes are still not properly supported. Additionally, we
> should mitigate risk as much as possible. Finally, all 1024-bit
> certificates must expire by the end of 2013.
>
> We are considering updating our dates for phasing out 1024-bit
> certificates to the following.
>
> under any root. If a CA has particular need to continue issuing
> certificates with RSA key size smaller than 2048 bits beyond this date,
> then they must ensure that all of those certificates will expire by the
> end of 2013. CAs who continue to issue certificates with RSA key size
> smaller than 2048 bits are strongly advised to use randomness in the
> serial number or in one of the fields in the DN.
>
>
> Caveats to proposed dates:
> * Mozilla will disable or remove root certificates with RSA key sizes
> smaller than 2048 bits earlier and at its sole discretion if necessary
> to keep our users safe.
> * CAs may request that their legacy roots be disabled or removed from
> NSS earlier, according to the Root Change Process.
>
> I will greatly appreciate your input on these proposed changes.
> Kathleen
>
>
Because users might have changed trust settings on installed root
certificates or made other changes to cause copies of root certificates
to be entered into the users' databases, the following bugs should be
implemented by 31 Dec 2013:
<https://bugzilla.mozilla.org/show_bug.cgi?id=545498>
<https://bugzilla.mozilla.org/show_bug.cgi?id=558222>
The first one would ensure that the users can restore root certificates
to their default state in the NSS database in their configurations so
that, when an update to a Mozilla (or Mozilla-based) product is updated
to delete certificates, those users' certificates are indeed deleted.
The second one would alert users to the fact that, while a certificate
has been deleted from the NSS database, the users' configuration still
has active copies of that certificate.
For the case in which a site is still using a certificate that chains to
a deleted certificate after 31 Dec 2013, the following bug should also
be implemented by that date:
<https://bugzilla.mozilla.org/show_bug.cgi?id=548380>
This would allow a user to identify the problematic site certificate and
reach the affected Web site to locate a contact or feedback link to
report the problem to the site's owner. I realize that site
certificates issued before 31 Dec 2010 should expire by 31 Dec 2013, but
what should happen does not always actually happen.
--
David E. Ross
<http://www.rossde.com/>.
Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. � 1997
Eddy Nigg
> December 31, 2010 – Mozilla strongly recommends that all CAs stop
> issuing end-entity certificates with RSA key size smaller than 2048
> bits under any root.
Just to make sure we are all on the same page... "Mozilla very and
extremely strongly recommends" means that CAs WILL issue from and
continue to issue certificates with 1024 bit keys. Period.
If the threat assessment has changed in the meantime (which is fine in
my opinion if no other evidence has been presented so far), then I
believe we can probably hold that off for later. Just that there are no
illusions.....you might even find CAs proudly advertise that THEY issue
1024 keys as a benefit.