Confirm, administrator
5,526
edits
Changes
→Dates for Phasing out MD5-based signatures and 1024-bit moduli
** This change is being tracked in [https://bugzilla.mozilla.org/show_bug.cgi?id=590364 Bugzilla #590364.]
* '''December 31, 2010''' – All CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes size smaller than 2048 bits. All Additionally, CAs with root certificates that have RSA key size smaller than 2048 bits should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any rootfrom those roots.
** [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes:] Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for '''legacy''' use after 2010.
*** This means that CAs should only consider issuing a 1024-bit certificate if it is requested and justified by the subscriber for a specific reason, such as interoperability with devices that do not yet support certificates with larger key sizes.
