Security/Features/Certs Disallow Weak Keys
|Disallow Weak RSA Keys|
|Product manager||Sid Stamm|
|Directly Responsible Individual||`|
|Product marketing lead||`|
|Additional members||Kathleen Wilson|
Need to pick a release in which we plan to disallow weak keys, so we can start communications.
Stage 1: Definition
1. Feature overview
RSA keys < 2048 bits should be considered invalid for SSL certificates. They're easy to break and we should treat certs with these weak keys as invalid.
Since 2010 we have been communicating to CAs about CA:MD5and1024 which says: "Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013."
2. Users & use cases
Make the web safer. Kill weak keys.
We should plan for which release the change will go in, and announce it well ahead of time, which means picking a release and moving from there.
Stage 2: Design
5. Functional specification
6. User experience design
Stage 3: Planning
7. Implementation plan
- Pick a release
- Implement and test the enforcement
- land it
Quality Assurance review
Stage 4: Development
Stage 5: Release
10. Landing criteria
|Theme / Goal||Product Hardening|
Team status notes
http://research.microsoft.com/pubs/206278/ndss.pdf: "In terms of key lengths, perhaps surprisingly, we find that the proportion of signed certificates with 1024-bit keys actually went up from 4.3% (plus 117 intermediate CAs) to 5.2% (plus 2 intermediate CAs) between the two periods. For endpoint and intermediate CA certificates, 1024-bit keys are allowed by the CA/Browser Forum if they expire before 2014. Checking this requirement, the percentage of violations among endpoint certificates is in fact going down slightly from 0.57% to 0.53%. Investigating further, we found that the main providers of 1024-bit keys (Google, Akamai, and Servision) are issuing only short lifespan certificates and seem to be in the process of moving to 2048-bit keys.
Our code still allows certs with 512-bit RSA keys...
- Related bugs: bug 360126, bug 134735, bug 623265 bug 622859
- press about 512-bit RSA keys -- "The latest versions of Safari ..., Opera, Google Chrome, and Internet Explorer ... Notably, Mozilla Firefox does not yet reject such certificates."
- 512bit certs have been maliciously used.
- Chrome and Apple also previously disallowed certs < 1024 bits.
- Microsoft software update to be released in October 2012 will block the use of cryptographic keys that are less than 1024 bits.
- CAs have confirmed that they are no longer issuing certs less than 1023 bits.
- bug 360126#c10 - rejecting < 1024 is fine.
- bug 360126#c16: NSS has SSL_GetChannelInfo function to enable apps to get and display information about cert key strengths. Also see bug 587234