Dana Keeler (she/her) (use needinfo) (:keeler for reviews) Reporter
	Description • 10 years ago

+++ This bug was initially created as a clone of Bug #1049740 +++

According to Mozilla Policy and the CA/Browser Forum Baseline Requirements, certificates should now have RSA key sizes of RSA 2048 bits are stronger.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
"8. We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: 
... RSA 2048 bits or higher; and
RSA 1024 bits (only until December 31, 2013)."
and
"9. We expect CAs to maintain current best practices to prevent algorithm attacks against certificates. As such, the following steps will be taken: 
... all end-entity certificates with RSA key sizes smaller than 2048 bits must expire by December 31, 2013;
after December 31, 2013, Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits"

CA/Browser Forum Baseline Requirements, Appendix A:
"Subordinate CA Certificates - Validity period beginning after 31 Dec 2010 or ending after 31 Dec 2013 -
Minimum RSA modulus size (bits) - 2048"
and
"Subscriber Certificates - Validity period ending after 31 Dec 2013 -
Minimum RSA modulus size (bits) - 2048"

So we should start showing the Untrusted Connection error when we encounter certificates in the chain that use less than RSA 2048 signatures.

	Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
	Comment 1 • 10 years ago

The telemetry gathered so far doesn't look good. I think we need to implement bug 657228 first.

	J.C. Jones [:jcj] (he/him)
	Comment 2 • 8 years ago

I think that whenever we eventually proceed with this, we should do it as a pref that we can experiment with via a Shield Study.

(As of Firefox 51's telemetry, 0.29% of auth keys and 3% of key agreement keys are RSA 1024, which makes sense as those are no longer permitted by the Baseline Requirements as of 2013-12-31, so they are rapidly expiring.)