On Fri, 2016-08-19 at 15:20 +0200, Kai Engert wrote: > It's not as simple as that. The suggested change doesn't mean that our > software > will block any CAs with 1024 bit.
This sentence wasn't sufficiently precise. Although for some server certificates, it's possible to find a chain of trust to one of the old 1024 bit roots, that doesn't mean that these server certificates will be blocked. Instead, our software has already been fixed to find the alternative chain of trust to the replacement root CAs. That means, despite no longer trusting these 1024 bit root CAs, all issued certificates that are still intended to be valid, will be treated as valid by our software, because it can find the path to the alternative, stronger root CAs. server intermediate / old 1024-bit root CA certificate -> CA certificate -> points to either - \ new stronger root CA Kai -- devel mailing list [email protected] https://lists.fedoraproject.org/admin/lists/[email protected]
