[SSL Observatory] Number of CAs
Phillip Hallam-Baker
hallam at gmail.com
Thu Dec 8 13:01:10 PST 2011
The number of bits on a root key matters less than might be imagined. It is complex.
First, what NIST said about RSA1024 was to stop using it for confidentiality of stored data. Your email sent under RSA 1024 today will be around for 20 years or more. It is highky unlikely anyone will be able to break that key in ten years, but twenty is a much bigger worry.
The root keys in a particular browser change over time. A given end entity cert can be val idated under multiple trust paths. But your browser will only show one. If you have a 1024 bit cert in your browser, it may show it even though there is also a 2048 bit path.
The industry is moving away from short key RSA. The first and most important step being to require 2048 bit keys for ee certs and to deploy 2048 bit roots.
Removing support for the 1024 bit validation path is desirable from a cryptographic security point of view but will break legacy browsers. That is a step that obviously needs to happen before factoring RSA1024 becomes practical, but does not need a twenty year safety margin.
I see no evidence that the current parameters should give cause for concern. I asked Adi Shamir whether faster action was merited at RSA this year and he said not.
If the situation changes we can revise the strategy and force users to incur the transition costs. But I suspect that a change that forces the security of RSA 1024 to be radically revised is likely to impact longer key lengths as well.
Sent from my iPad
On Dec 8, 2011, at 15:26, Erwann Abalea <eabalea at gmail.com> wrote:
> Bonsoir Daniel,
>
> 2011/12/8 Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> On 12/08/2011 02:01 PM, Erwann Abalea wrote:
> > Le 8 déc. 2011 19:52, "Daniel Kahn Gillmor" <dkg at fifthhorseman.net> a
> > écrit :
> >
> > Other (major) organizations
> >> rely on a CA chain where the ultimate root uses a 1024-bit RSA key
> >> issued 12 years ago and is preposterously claimed to be valid until
> >> 2030. Should i simply refuse to visit the web sites who've made the
> >> decision to use these CAs?
> >
> > Where did you see that? There's no root shorter than 2048bits in the
> > Mozilla trust store.
>
> gah, i'm screwing up today, the 1024-bit key expires in 2019, not 2030,
> so it's only valid for 9 years after NIST strongly deprecated it, not 20
> years.
>
> The certificate chain for https://facebook.com/ points to a final issuer of:
>
> C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server
> Certification Authority
>
> Strange. Asking with OpenSSL shows a path up to VeriSign (a 2048 bits key). Using Firefox or Safari shows a path up to DigiCert (a 2048 bits key). I'm in France.
>
> Which is indeed a 1024-bit RSA key with a validity range from May 1999
> to May 2019 (attached, with serial number 927650371 (0x374ad243)).
>
> You can use it to validate the connection to facebook if you're into
> that sort of thing:
>
> gnutls-cli --x509cafile Entrust.net_Secure_Server_CA.crt facebook.com
>
> The CRL embedded in this certificate
> (http://www.entrust.net/CRL/net1.crl) was issued today, and it doesn't
> appear to have revoked itself, so it looks like Entrust is still
> claiming it's still good for use.
>
>
> A root can't revoke itself. Trust has to come off-band, and is removed off-band.
>
> --
> Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/1b85e546/attachment.html>
More information about the Observatory
mailing list