Security/Features/Certs Disallow Weak Keys

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.


Disallow Weak RSA Keys
Stage Draft
Status `
Release target `
Health OK
Status note `


Product manager Sid Stamm
Directly Responsible Individual `
Lead engineer `
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Kathleen Wilson

Open issues/risks

Need to pick a release in which we plan to disallow weak keys, so we can start communications.

Stage 1: Definition

1. Feature overview

RSA keys < 2048 bits should be considered invalid for SSL certificates. They're easy to break and we should treat certs with these weak keys as invalid.

Since 2010 we have been communicating to CAs about CA:MD5and1024 which says: "Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013."

See also:

2. Users & use cases

Make the web safer. Kill weak keys.

3. Dependencies


4. Requirements

We should plan for which release the change will go in, and announce it well ahead of time, which means picking a release and moving from there.



Stage 2: Design

5. Functional specification


6. User experience design


Stage 3: Planning

7. Implementation plan

  1. Pick a release
  2. Implement and test the enforcement
  3. land it

8. Reviews

Security review


Privacy review


Localization review




Quality Assurance review


Operations review


Stage 4: Development

9. Implementation


Stage 5: Release

10. Landing criteria


Feature details

Priority P2
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap `
Feature list `
Project `
Engineering team Security

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` ` "In terms of key lengths, perhaps surprisingly, we find that the proportion of signed certificates with 1024-bit keys actually went up from 4.3% (plus 117 intermediate CAs) to 5.2% (plus 2 intermediate CAs) between the two periods. For endpoint and intermediate CA certificates, 1024-bit keys are allowed by the CA/Browser Forum if they expire before 2014. Checking this requirement, the percentage of violations among endpoint certificates is in fact going down slightly from 0.57% to 0.53%. Investigating further, we found that the main providers of 1024-bit keys (Google, Akamai, and Servision) are issuing only short lifespan certificates and seem to be in the process of moving to 2048-bit keys.

Our code still allows certs with 512-bit RSA keys...