|
|
@ -2961,7 +2961,9 @@ No limitation is placed on Subscriber key sizes.
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
CAcert X.509 root and intermediate keys are currently 4096 bits.
|
|
|
|
CAcert X.509 root and intermediate keys are currently 4096 bits.
|
|
|
|
X.509 roots use RSA and sign with the SHA-1 message digest algorithm.
|
|
|
|
X.509 roots use RSA and sign with the SHA-1 message digest algorithm.
|
|
|
|
|
|
|
|
Certificates have been signed until 2004 with MD5, since 2005 SHA-1 or better algorithms are used.
|
|
|
|
See <a href="#p4.3.1">§4.3.1</a>.
|
|
|
|
See <a href="#p4.3.1">§4.3.1</a>.
|
|
|
|
|
|
|
|
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
@ -2974,15 +2976,6 @@ in line with general cryptographic trends,
|
|
|
|
and as supported by major software suppliers.
|
|
|
|
and as supported by major software suppliers.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ul class="q">
|
|
|
|
|
|
|
|
<li> old Class 3 SubRoot is signed with MD5 </li>
|
|
|
|
|
|
|
|
<li> likely this will clash with future plans of vendors to drop acceptance of MD5</li>
|
|
|
|
|
|
|
|
<li> Is this a concern? </li>
|
|
|
|
|
|
|
|
<li> to users who have these certs, a lot? </li>
|
|
|
|
|
|
|
|
<li> to audit, not much? </li>
|
|
|
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<h4><a name="p6.1.6" id="p6.1.6">6.1.6. Public key parameters generation and quality checking</a></h4>
|
|
|
|
<h4><a name="p6.1.6" id="p6.1.6">6.1.6. Public key parameters generation and quality checking</a></h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|