{"id":192,"date":"2012-08-16T05:27:32","date_gmt":"2012-08-16T13:27:32","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=192"},"modified":"2012-08-16T05:30:01","modified_gmt":"2012-08-16T13:30:01","slug":"using-ecc-keys-in-x509-certificates","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=192","title":{"rendered":"Using ECC keys in X509 certificates"},"content":{"rendered":"

Recently the CAB Forum published a document called the Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates<\/a>.<\/p>\n

This document was authored by both browsers and public CAs and is used by the browser vendors to mandate what minimum technical requirements need to be met for inclusion into their \u201cRoot Programs\u201d.<\/p>\n

One of the changes specified in this document is that subscriber certificates (aka SSL certificates) containing RSA keys must have a bit length of 2048. This is a change for a lot of CAs (GlobalSign had made this change some time ago) one that has implications to server operators.<\/p>\n

Just take a look at the Crypto Plus Plus Benchmarks<\/a> to see how much more expensive 2048 bit RSA. For most users this additional computational cost won\u2019t be an issue but in some cases customers may need to increase the computing power they allocate for SSL establishment.<\/p>\n

But what alternatives do you have? Well there is one, certificates with ECC keys; using these have the potential to significantly decrease the computational costs for SSL<\/a> negotiations (even over your old 1024bit RSA certificate) but they come at a significant penalty \u2013 compatibility.<\/p>\n

ECC was not supported in Windows until VISTA which was released in 2009<\/a>, this basically means 100% of the XP clients out there (around 29% of the browsers on the internet as of July 2012<\/a>) would be unable to establish a session with your website if you switched exclusively to ECC.<\/p>\n

This is important for more than just Internet Explorer users since even Chrome and Safari use CryptoAPI for certificate validation when on Windows.<\/p>\n

This would mean these users would see something like this:<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

That is pretty scary, so how long until we can use this more broadly? It\u2019s hard to say there is a good article titled \u201cThe developers guide to browser adoption rates<\/a>\u201d that sheds some light, that and the historic\u00a0gs.statcounter.com<\/a>\u00a0results. Based on these unless there is a sudden change (which is possible these machines are getting pretty old) I would assume that we have around 4-5 years of XP out there yet.<\/p>\n

Hope this helps,<\/p>\n

Ryan<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently the CAB Forum published a document called the Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates. This document was authored by both browsers and public CAs and is used by the browser vendors to mandate what minimum technical requirements need to be met for inclusion into their \u201cRoot Programs\u201d. One of […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,7],"tags":[43,6,42,19],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-security","category-standards","tag-ecc","tag-ssl","tag-tls","tag-x509"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}