62
edits
Changes
m
* '''June 30, 2011''' – Mozilla will stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates. After this date software published by Mozilla will return an error when a certificate with an MD5-based signature is used.
** This change is being tracked in [https://bugzilla.mozilla.org/show_bug.cgi?id=590364 Bugzilla #590364.]
Put dates in chronological order.
High Level Summary of Dates:
* '''December 31, 2010''' – All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits. Additionally, CAs with root certificates that have RSA key size smaller than 2048 bits should stop issuing intermediate and end-entity certificates from those roots.
** [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes:] Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for '''legacy''' use after 2010.
*** Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible.
** CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN.
* '''June 30, 2011''' – Mozilla will stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates. After this date software published by Mozilla will return an error when a certificate with an MD5-based signature is used.
** This change is being tracked in [https://bugzilla.mozilla.org/show_bug.cgi?id=590364 Bugzilla #590364.]
* '''December 31, 2013''' – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits.
