Formal notice given of rearrangement of deck chairs on RMS PKItanic
Matt Crawford
crawdad at fnal.gov
Wed Oct 6 14:32:00 EDT 2010
On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote:
> On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote:
>
>> From https://wiki.mozilla.org/CA:MD5and1024:
>>
>> December 31, 2010 - CAs should stop issuing intermediate and end-entity
>> certificates from roots with RSA key sizes smaller than 2048 bits [0]. All
>> CAs should stop issuing intermediate and end-entity certificates with RSA
>> key size smaller than 2048 bits under any root.
>>
>> [...]
>>
>> [0] This is ambiguously worded, but it's talking about key sizes in EE certs.
>
> What are "EE certs", did you mean "EV"?
EE = End Entity, but I don't read the first sentence the way Peter did. I parse it as
>> CAs should stop issuing (intermediate and end-entity
>> certificates) from (roots with RSA key sizes smaller than 2048 bits).
That is, if your CA key size is smaller, stop signing with it.
Of course, if it's important to stop signing with it, it's equally important to revoke all signatures already made.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1889 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20101006/f50d4e6b/attachment.bin>
More information about the cryptography
mailing list