letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

small docs change: minimum key size (#5158) 

Implementation Details now mentions minimum RSA key size and
links to the official LetsEncrypt announcement for supporting a limited set
of key sizes.
This commit is contained in:
Jonathan Vanasco 2020-10-29 15:14:27 -04:00 committed by GitHub
parent cd3a06b76c
commit 00522861dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/acme-implementation_details.md
View File

@ -12,10 +12,11 @@ ACME Servers, including the [Pebble](https://github.com/letsencrypt/pebble)
test server. test server.
The following items are a partial listing of RFC-conformant design decisions The following items are a partial listing of RFC-conformant design decisions
Boulder has made. This listing is not complete, and is based on known details Boulder and/or LetsEncrypt have made. This listing is not complete, and is
which have caused issues for developers in the past. This listing may not based on known details which have caused issues for developers in the past. This
reflect the current status of Boulder or the configuration of LetsEncrypt's listing may not reflect the current status of Boulder or the configuration of
production instance and is provided only as a reference for client developers. LetsEncrypt's production instance and is provided only as a reference for client
developers.
Please note: these design implementation decisions are fully conformant with the Please note: these design implementation decisions are fully conformant with the
RFC specification and are not RFC specification and are not
@ -58,12 +59,18 @@ extension, and will reject a CSR if a domain specified in the `commonName` is
not present in the `subjectAltName`. Additionally, usage of the `commonName` not present in the `subjectAltName`. Additionally, usage of the `commonName`
was previously deprecated by the CA/B Forum and in earlier RFCs. was previously deprecated by the CA/B Forum and in earlier RFCs.
For more information on this see [Pebble Issue #304](https://github.com/letsencrypt/pebble/issues/304) and For more information on this see [Pebble Issue #304](https://github.com/letsencrypt/pebble/issues/304)
[Pebble Issue #233] https://github.com/letsencrypt/pebble/issues/233 and [Pebble Issue #233](https://github.com/letsencrypt/pebble/issues/233).
## RSA Key Size
The ACME specification is silent as to minimum key size.
The [CA/Browser Forum](https://cabforum.org/) sets the key size requirements
which LetsEncrypt adheres to.
Effective 2020-09-17, LetsEncrypt further requires all RSA keys for end-entity
(leaf) certificates have a modulus of length 2048, 3072, or 4096. Other CAs may
or may not have the same restricted set of supported RSA key sizes.
For more information
[read the Official Announcement](https://community.letsencrypt.org/t/issuing-for-common-rsa-key-sizes-only/133839).