Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

6.1.5 Key Sizes - Root CA #28

Closed
lachellel opened this issue Nov 23, 2016 · 2 comments
Closed

6.1.5 Key Sizes - Root CA #28

lachellel opened this issue Nov 23, 2016 · 2 comments

Comments

@lachellel
Copy link
Contributor

Needs to be updated to align with NIST SP 800-131A and FIPS 186-4 AND larger key size for the root (minimum 4096)

Currently in Section 6.1.5

(1) Root CA Certificates

Validity period beginning on or before 31 Dec 2010 Validity period beginning after 31 Dec 2010
Digest algorithm MD5 (NOT RECOMMENDED), SHA-1, SHA-256, SHA-384 or SHA-512 SHA-1*, SHA-256, SHA-384 or SHA-512
Minimum RSA modulus size (bits) 2048** 2048
ECC curve NIST P-256, P-384, or P-521 NIST P-256, P-384, or P-521
Minimum DSA modulus and divisor size (bits)*** L= 2048 N= 224 or L= 2048 N= 256 L= 2048 N= 224 or L= 2048 N= 256
@lachellel lachellel modified the milestone: Section 2 and Section 6: First Draft Iteration Nov 25, 2016
@LarryFrank
Copy link

My comment on 4096 under subordinate CAs applies here (probably more appropriately than where I made it...)

Recommend dropping the before 2010 col and drop "SHA-1* from the after col. as both are OBE and neither conforms to the CA/B requirements.

@lachellel
Copy link
Contributor Author

  • Min Modulus size = 4096

  • Remove all SHA-1 references

  • ECC - P-256, P-384 and P-521 - do we restrict and remove P-256

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants