On Thursday 05 June 2008 12:59:13 Eddy Nigg (StartCom Ltd.) wrote:
> Rob Stradling:
> >> Additionally, most of the times the old and the new root will be both
> >> present in NSS for some time in order to allow a smooth transition,
> >> until the old root is being removed.
> >
> > Eddy, I think you've missed the main point of my proposal. I am
> > suggesting that each existing valid-for-too-long 1024-bit RSA Root
> > Certificate should be replaced with a valid-for-not-too-far-beyond-2010
> > 1024-bit RSA Root Certificates *WITH THE SAME KEY*.
>
> Sorry Rob, yes I missed that one. But why doing that? Why not replace
> with something better and remove the "offending" root? Perhaps I'm not
> objective enough because we actually replaced a small key with a bigger
> one. What's the logic for having a pile of roots which expire in 2010?
I didn't say "expire in 2010".
> Sorry for being slow...can you explain to me the logic of your proposal
> (again)?
I think the key issue is that we don't want users of Mozilla software to be
relying on 1024-bit RSA Root Keys too far beyond 2010.
If we were to remove any 1024-bit RSA Root Certificates from Mozilla today, it
would be damaging to the CAs (who rely on the good browser ubiquity provided
by these Roots).
But, if we instead wait until, say, 2013 to remove those Root Certificates
from NSS, some users would still be relying on those 1024-bit Root Keys until
nearer 2020 ('cos some users are *very* slow to upgrade their browsers).
I believe that my proposal solves both problems. The CAs' browser ubiquity
would not be damaged until such time that Mozilla decides the 1024-bit Keys
should be no longer be relied on. And in the future, Mozilla users (even
with...at that point in time...fairly out-of-date software) would be
prevented from relying on 1024-bit RSA Root Keys as soon as the date decided
by Mozilla arrives.
> Regards
> Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
> Blog: Join the Revolution! <http://blog.startcom.org>
> Phone: +1.213.341.0390
--
Rob Stradling
Senior Research & Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
