** This change is being tracked in [https://bugzilla.mozilla.org/show_bug.cgi?id=590364 Bugzilla #590364.]
* '''December 31, 2010''' – CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root.
** Note: [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes:] Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for '''legacy''' use after 2010.** CAs who continue to issue certificates with RSA key size smaller than 2048 bits are strongly advised to use randomness in the serial number or in one of the fields in the DN.
* '''December 31, 2013''' – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits.