Confirm, administrator
5,526
edits
Changes
→Dates for Phasing out MD5-based signatures and 1024-bit moduli
** CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN.
* '''December 31, 2013''' – Mozilla will begin disabling or removing all root certificates with RSA key sizes smaller than 2048 bits. Note that there were some long-lived SSL certs that were issued before this policy was put in place, as long as the Mozilla CA Cert Policy continues to be followed and there is no evidence of breaches regarding these certs, they will be allowed to expire before the root is removed.
Caveats to proposed dates:
# Mozilla will take these actions earlier and at its sole discretion if necessary to keep our users safe.
# CAs may request that their legacy roots be disabled or removed from NSS earlier, according to the [[CA:Root_Change_Process | Root Change Process]]
# There were some long-lived certs that were issued before this policy was put in place; as long as caveat #1 and #2 have not happened and there is no evidence of breaches regarding these certs, these certs may be allowed to expire before the root is removed.
=== Background ===
