Formal notice given of rearrangement of deck chairs on RMS PKItanic

Thor Lancelot Simon tls at
Wed Oct 6 16:43:45 EDT 2010

On Wed, Oct 06, 2010 at 01:32:00PM -0500, Matt Crawford wrote:
> That is, if your CA key size is smaller, stop signing with it.

You may have missed the next sentence of Mozilla's statement:

> All CAs should stop issuing intermediate and end-entity certificates with
> RSA key size smaller than 2048 bits under any root.

That is, no matter how long your root key is (the previous sentence
stated the requirements about _that_) you may not use it to sign any
end-entity certificate whose key size is < 2048 bits.

	Gun: check.
	Bullets: check.
	Feet: check.

Now they have everything they need to prevent HTTPS Everywhere.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list