Version 2.3 (May 3, 2021) of Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates
says in the first table of
"Appendix A Minimum Cryptographic Algorithm and Key Size Requirements"
that
Code Signing Certificates issued on or after the transition date and their corresponding Root Certificates and Subordinate CA Certificates:
Minimum RSA modulus size (bits): 3072
Transition Date: June 1, 2021
In general, all requirements of CABF documents apply only to certificate issuance that takes place after the specified deadlines, including those for CA certificates.
However, in this case, we interpret the requirement for RSA keys as follows:
From the transition date, all of the following requirements shall be met at the same time:
- the Code Signing Certificate shall be issued for at least 3072-bit keys
- the issuing intermediate CA shall have at least 3072-bit RSA key, even if it was issued prior to the transition date
- the root CA shall have at least 3072-bit RSA key, even if it was issued prior to the transition date
So after the transition date, there is no way to issue Code Signing Certificates under a root CA having a 2048-bit RSA key .
Is our interpretation correct?