On 22/6/09 22:23, Kyle Hamilton wrote:
Is there an updated request in the queue for O=ABC.ECOM, INC? That one expires 7/9/2009, which is less than a month from now.
Good question.
Are we going to enforce a 2048-bit root requirement after Dec 31, 2010 (per NIST non-classified recommendation)? If so, we need to get the Digital Signature Trust Co Global CAs to update.
I would vote against following NIST on this. But it would be a reasonable thing to send a message to the appropriate CAs and ask them to consider upgrading.
The DSTCA X1 and DSTCA X2 CAs (page 3, bottom) have already expired in 2008. Are they going to be removed?
If there is no semantic difference, I guess they should be?
We've already had discussion why MD5 on the root isn't worrisome or bothersome. I'm assuming that there are no attributes of the certificate which contains the trust anchor which are actually checked, and that the trust-bits are effectively set on the key included in the certificate itself?
The annoying thing is that with MD5 in the cert, NSS can't "get rid of MD5". But, maybe that isn't an issue anyway.
iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
