At 5:51 PM -0700 5/29/08, Wan-Teh Chang wrote: >It is reasonable to impose a stricter key size requirement on new root >CAs than the currently accepted root CAs.
Why? (I mean that seriously.) The attack we are worried about is Mallory factoring the public key of any of the CAs in our root store and then using the discovered public key to create forged certificates from that CA. Since *all* of the roots have the same effective power (they can certify any domain name in the DNS), Mallory will always want to attack the easiest target, namely the shortest public key. Thus, if we have any 1024-bit keys in the root pile (and we might still have ones shorter...), requiring all new CA keys to be 2048 bits (for example) has no effect on Mallory: he still attacks one of the current roots and gets the exact same effect. >Paul, are you questioning the stricter requirement for new root CAs, Yes; see above. Of course, we could have a rule that requires all CA keys in the root pile to have a certain minimum length, but that would eliminate many commercially-important roots, >or would you like us to improve the language in the wiki? Yes. I see no reason to talk about "concern" for key sizes that we are telling all users to trust. Either we tell them to trust everything equally because we have vetted it, or they should trust nothing. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
