Re: [apache-ssl] Maximum key pair size
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apache-ssl] Maximum key pair size



Jonathan Ruano wrote:
> 
> FYI (and if I missed some FAQ about this issue, but I guess I havent been
> very FAQ'ie with apache-ssl):
> 
> I'm the technical boy of a CA here in Spain (that is, I'm on the machine
> that generates the certificates), and the other came to me a request from
> a 4096-bit key. It seemed to me that the file was very big, but didnt give
> it importance...
> 
> The certificate process went ok, and I sent it to the requesting party.
> 
> On the server side, there's no problem on accepting that key-certificate
> pair, but several browsers have problems with it. He tried MSIE 3.x, and
> other flavors of Netscape Navigator (AIX, and other unices, dont know
> exactly which).
> 
> Just a note :)

Thank you for that... On a similar note, we recently had a problem with
a cert's key being too small for the server. This was invisible to the
user, and the trusted authority who signed the certificate went ahead
and signed it anyway... This caused all sorts of weird problems, and
only after much investigation was it determined what the problem was. We
still haven't managed to establish how the key came to be the wrong
size, and the process to create such a key deliberately is not one that
is likely to have been followed... 

Anyway, the point for this posting is that if any CA's are listening, it
would be good if you could check that the request's key is of an
appropriate size (assuming that's possible from a CSR)... If not,
another step in the request process to validate the key size maybe?

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers