6.1.5 Key Sizes - Subscriber #32

lachellel · 2016-11-23T17:57:53Z

Needs to be updated to align with NIST SP 800-131A and FIPS 186-4 AND larger key sizes and dates

Currently, Section 6.1.5 for subscriber certificates states:

(3) Subscriber Certificates

	Validity period ending on or before 31 Dec 2013	Validity period ending after 31 Dec 2013
Digest algorithm	SHA1*, SHA-256, SHA-384 or SHA-512	SHA-1*, SHA-256, SHA-384 or SHA-512
Minimum RSA modulus size (bits)	1024	2048
ECC curve	NIST P-256, P-384, or P-521	NIST P-256, P-384, or P-521
Minimum DSA modulus and divisor size (bits)	L= 2048, N= 224 or L= 2048, N= 256	L= 2048 N= 224 or L= 2048 N= 256

LarryFrank · 2016-11-28T15:13:42Z

Can leave out the 2013 stuff. OBE. And maybe add the post 2030 requirements, as they will come into play soon - specifically for roots...

lachellel · 2016-12-15T16:50:56Z

Remove all SHA-1
Minimum 2048
Allow ECC

LarryFrank · 2016-12-15T16:56:41Z

Remove all SHA-1
Minimum 2048
Allow ECC

Agree - but Roots (assuming 20 years) needs to be at least 3072 (maybe 4096...)

lachellel · 2016-12-15T17:08:15Z

#28 for root

The option on the table is root is 4096

lachellel added NIST Requirement Section 6 labels Nov 23, 2016

lachellel modified the milestone: Section 2 and Section 6: First Draft Iteration Nov 25, 2016

lachellel added a commit that referenced this issue Dec 15, 2016

Section 6.1.5 Key Sizes

ca75298

#28 #29 #32

lachellel closed this as completed Dec 29, 2016

Provide feedback