Paul Hoffman wrote: > Let's talk specifics. The Verisign "Class 3 Public Primary Certification > Authority", which is widely used to create popular SSL certs on the > Internet (see <https://www.amazon.com/>), has a 1024-bit RSA key and has > an expiration date of Aug 1 23:59:59 2028. Yes, that's a bit over 20 > years from now.
That is correct; however, the CAs are not unaware of the NIST guidelines on key length. I suspect that these 1024-bit roots will be deprecated and eventually removed long before 2028. For example, the EV guidelines state that no certificate with less than 2048-bit keys may be used in an EV certificate chain after 31st December 2010, which I believe was chosen because it's the end of the recommended time for stopping using 1024-bit keys set by NIST. (Page 70 in guidelines v1.1) Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
