Wan-Teh Chang wrote:
There is also a critical difference between the Hashing and the keysize..... Once a CA chooses it's keysize, then all certs signed by that CA will be signed with that key. If 1024 bits is weak, the CA can't issue a new subordinate CA which is signed with a 2048 bit signature (and vice versa).Paul Hoffman wrote:What about 1536-bit CA certs? This is a serious question. We need to understand whether or not the CAs we care about want this intermediate size for any reason, or if we make the required size after the cutoff to be 2048 bits.I've never heard of anyone proposing 1536-bit CA certs. I've seen 2048-bit (and perhaps 4096-bit) CA certs and have seen 3072-bit CA certs mentioned in Draft FIPS 186-3.Again, while we are at it, how about mandating SHA-246? We can safely assume complete deployment of it within five years.I assume you meant SHA-256. If SHA-256 won't be made available in Windows XP, this is equivalent to assuming complete replacement of Windows XP within five years (when Windows XP is 10-11 years old). That's a tough question.
Hashing, on the other hand, can be changed on the fly. A CA which is signed with a SHA-1 hash can still sign its subordinates with a SHA-256 or 384 hash. By the same token, a CA that has a SHA-256 bit hash in the signature can issue certs with a SHA-1 hash in their signature.
Of course if SHA-1 is ever completely broken (in a preimage way, not a colision way), than any CA that has ever issued a SHA-1 certificate (independent of what kind of signature it uses in it's cert) would be useless unless we reject all SHA-1 signatures. Currently we aren't facing that problem yet.....
bob
Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
