Last summer I posted a blog about the move 2048-bit RSA keys in SSL certificates. While I was drafting my post, NIST was working on a new Special Publication. This document, just released as NIST SP 800-131A, allows a transition period to from 1024-bit to 2048-bit RSA keys. In the period of 1 January 2011 through 31 December 2013, 1024-bit keys are allowed, but their use is deprecated. In response, the industry has adjusted its policies and practices on key sizes, for example:
- December 31, 2010 – All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits. Additionally, CAs with root certificates that have RSA key size smaller than 2048 bits should stop issuing intermediate and end-entity certificates from those roots. (Note those should words used to say must.)
- Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for legacy use after 2010.
- This means that CAs should only consider issuing a 1024-bit certificate if it is requested and justified by the subscriber for a specific reason, such as interoperability with devices that do not yet support certificates with larger key sizes.
- The CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will accept any risks and liabilities.
- All end-entity certificates with RSA key size smaller than 2048 bits must expire by the end of 2013.
- We based our technical requirement for migrating away from 1024-bit RSA certificates on NIST Guidance, and NIST updated it with 800-131
- In general this means that CAs should continue to deploy stronger key length certificates, and the vast majority of CAs have already migrated to 2048-bit RSA in most scenarios; but if they must continue to issue 1024-bit RSA end-entity certificates in certain contexts (e.g. hardware, smart cards, and other devices in capable of accepting longer key lengths), those certificates should be considered “deprecated” or “restricted” according to the use of those terms, defined in the NIST document.
- In any event, end-entity 1024-bit certificates should not expire after December 31, 2013.
Entrust has adjusted its policies and practices as well. Although 1024-bit RSA keys are highly restricted, Entrust will issue non-EV SSL certificates with 1024-bit RSA keys to a maximum validity of 31 December 2013 in support of inter-operability and backwards compatibility issues. All other certificates will continue to have a minimum key size of 2048-bit RSA.