Confirm, administrator
5,526
edits
Changes
Created page with '= Dates for Phasing out MD5-based signatures and 1024-bit moduli = High Level Summary of Dates: * '''June 30, 2011''' – Mozilla will stop accepting MD5 as a hash algorithm for…'
= Dates for Phasing out MD5-based signatures and 1024-bit moduli =
High Level Summary of Dates:
* '''June 30, 2011''' – Mozilla will stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates.
* '''December 31, 2010''' – CAs must stop issuing from 1024-bit roots. All CAs must also stop issuing certificates with RSA key size smaller than 2048 under any root.
* '''December 31, 2013''' – Mozilla will disable or remove all 1024-bit root certificates.
Caveats to proposed dates:
# Mozilla will take these actions earlier and at its sole discretion if necessary to keep our users safe.
# CAs may request that their legacy roots be disabled or removed from NSS earlier, according to the [[CA:Root_Change_Process | Root Change Process]]
== Background ==
MD5 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for MD5-based signatures. The MD5 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling MD5 will impact intermediate and end entity certificates, where the signatures are validated.
The relevant CAs have confirmed that they stopped issuing MD5 certificates. However, there are still many end entity certificates that would be impacted if support for MD5-based signatures was turned off today. Therefore, we are hoping to give the affected CAs time to react, and are proposing the date of June 30, 2011 for turning off support for MD5-based signatures. The relevant CAs are aware that Mozilla will turn off MD5 support earlier if needed.
The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.
The NIST recommendation is to discontinue 1024-bit RSA certificates by December 31, 2010. Therefore, CAs have been advised that they should not sign any more certificates under their 1024-bit roots by the end of this year.
The date for disabling/removing 1024-bit root certificates will be dependent on the state of the art in public key cryptography, but under no circumstances should any party expect continued support for this modulus size past December 31, 2013. As mentioned above, this date could get moved up substantially if new attacks are discovered. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible.
High Level Summary of Dates:
* '''June 30, 2011''' – Mozilla will stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates.
* '''December 31, 2010''' – CAs must stop issuing from 1024-bit roots. All CAs must also stop issuing certificates with RSA key size smaller than 2048 under any root.
* '''December 31, 2013''' – Mozilla will disable or remove all 1024-bit root certificates.
Caveats to proposed dates:
# Mozilla will take these actions earlier and at its sole discretion if necessary to keep our users safe.
# CAs may request that their legacy roots be disabled or removed from NSS earlier, according to the [[CA:Root_Change_Process | Root Change Process]]
== Background ==
MD5 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for MD5-based signatures. The MD5 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling MD5 will impact intermediate and end entity certificates, where the signatures are validated.
The relevant CAs have confirmed that they stopped issuing MD5 certificates. However, there are still many end entity certificates that would be impacted if support for MD5-based signatures was turned off today. Therefore, we are hoping to give the affected CAs time to react, and are proposing the date of June 30, 2011 for turning off support for MD5-based signatures. The relevant CAs are aware that Mozilla will turn off MD5 support earlier if needed.
The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.
The NIST recommendation is to discontinue 1024-bit RSA certificates by December 31, 2010. Therefore, CAs have been advised that they should not sign any more certificates under their 1024-bit roots by the end of this year.
The date for disabling/removing 1024-bit root certificates will be dependent on the state of the art in public key cryptography, but under no circumstances should any party expect continued support for this modulus size past December 31, 2013. As mentioned above, this date could get moved up substantially if new attacks are discovered. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible.
